Diaries

Published: 2006-02-28

Handlers - Down and Out in the Magic Kingdom

Once upon a time, eight handlers traveled to a Magic Kingdom, leaving their friends behind to sweep the floors, empty the ashes from the fireplace, and mind the store.  And lo, while their friends did labor long and hard, the eight naughty handlers danced and played among the inhabitants of that Magical place until they began to look and act... well... right at home.  Of course they moaned and complained that their time in the Magical Kingdom wasn't fun at all, but the friends they left behind knew better.



So, if you happen to be attending SANS 2006 and you see either Snow J or any of the dwarves... tell 'em we said "hi." (Note: Sincere apologies to Walt, his heirs, and assigns... Corporate lawyer-types: It's parody.  Lighten up.)

0 Comments

Published: 2006-02-28

Trouble Brewing? - Port 106 Activity

We received an email enquiry today from Mike asking if we had seen an increase in Port 106 activity.  He indicated that over the last 8 or 9 days he has seen an increase in traffic on port 106.  I looked at the information on this port at our DShield location and found that there is indeed something happening on Port 106.  On December 22 we started seeing an increase in data submissions on this port.  There are some known uses for the port but none of them really make much sense.  So - if anyone out in our viewing audience is seeing increases in Port 106 activity and can get us some data using a netcat listener, we would appreciate it.  We are curious about the traffic and what exactly it is looking for.

 

0 Comments

Published: 2006-02-28

An Assignment From Professor Packetslinger of the School of Loose Screws


Update #1

We have received an overwhelming number of emails as a result of this diary.  This is to clarify a couple of things.  Yes this professor could have set up its own system for the students to use, yes they could have been instructed that they were to get permission from the owners of the systems first, yes they could have done any number of things to make this a valuable, worthwhile learning experience. That was not done unfortunately.

We have also received several emails asking us to release the name of the institution that this refers to.  We won't do that as we were asked not to in the diary.  It is our policy at the ISC to provide confidentiality when requested.  That is what allows us to cover such controversial subjects as we do.  Yes what is being done by this Institution of Higher Education is incorrect. We are pursuing a satisfactory resolution to this as best we can. We also have not and will not publish the entire document. 

John Bambenek one of our handlers that works at University of Illinois had this to say on the subject:

It's high time that the principles of academic freedom stop providing shields for felonious conduct or eventually the people and the government will take it away all together.

We also have received a number of emails suggesting that we have a legal obligation to report this.  We are aware that this maybe a possibility.  We will assure all of our readers that we will indeed do what is right. We may not talk about what we did but we will do our best to make sure that this type of activity does not continue to go on.  We truly want the Internet to be a safe place for all to work and play. 

Hopefully this will answer some of the questions and concerns that are arising from this article.


Update #2

We have received indications there has been a partial callback of the assignment. We're inviting the professor to contact us directly for any statement and/or clarification he might want to offer.

If he does contact us with a statement we will update the diary again.  Again thanks to all who  did contact us concerning this. Both the good and the bad. We have responded to as many as we could (of course not to the ones that gave us phony email addresses).  We at the ISC appreciate the participation of everyone, whether you agree with us or not. We learn a lot from the pro's and the con's and enjoy the interaction.


We received an email today from a concerned colleague at one of the state colleges in the US. We promised the colleague that we would not reveal name or school so I won't. It is tempting, but I won't. This is an actual assignment. I am not making this up, this IS the real thing.

So here is the story of the assignment from Professor Packetslinger. In a Computer Security class in the Winter of 2006 (which by the way is next year if I remember correctly) the students have been given an assignment. The assignment is worth 15% of the final grade for the class. (So refusing to do the assignment very well could drop a student from an A to a B or worse in the blink of an eye).

The "TASK"

Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.

You got it. This is verbatim. Professor Packetslinger wants the students to conduct illegal activity involving port scanning and vulnerability scanning. He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see.

Hmm – seems to me that Professor Packetslinger wants the students to do all of the background work for him.

Ok so now what must the students submit in writing to Professor Packetslinger?

Let's see what he wants:

What the student must submit

The note to the students:

In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation.

(This tells me that Professor Packetslinger is well aware of the laws and the fact that doing this without express permission and authorization IS against the law in most countries and municipalities. The same laws that the students are being asked to violate).

The student must provide a written report which has the following sections: Executive summary, description of tools and techniques used, dates and times of investigations [AKA break ins, our words], examples of data collected, evaluation data, overall evaluation of the system(s) including vulnerabilities.

Can you believe it? Amazing, simply amazing. One important thing Professor Packetslinger failed to request:

Dates of student's incarceration so that they can be excused from class and not counted absent.

Ok, so the concerned colleague who contacted us about Professor Packetslinger and his assignment went on to explain:

"We've barked this one up our own tree of management. Word came down this morning that no direct action will be taken against the professor, but if we catch any students doing these scans against our computers we will not be exempting them from our existing procedure. Specifically, disabling their student account and referring them to the Student Dean of Corrections."

In other words, we won't discipline Professor Packetslinger, we won't stop the assignment from going forward. As long as the students don't scan our computers, it is ok. If they scan our computers they will be reprimanded and lose their privileges on campus.

This is incredible; this University is encouraging illegal activity. They are encouraging students to do something that is, in the words of fellow Handler Adrien:

Illegal, unethical, immoral.
How about just plain stupid and ignorant.

And handler Swa had this to say:

Doing it is illegal in many parts of the world. But using authority to have somebody else do something illegal is in some places on this world even worse than the act itself and any decent prosecutor should chop the prof in fine pieces over this.

Actually inciting somebody to do something illegal (even if the act isn't performed) might be a case on its own. Now if he fails a student over this, they might have no more reason not to put down an official complaint for being asked to perform illegal acts.

First thing to do: recall the assignment; tell the students they should not even consider it.  Next (public) apologies from the professor are the least. But at the _very_ least don't let him near kids anymore, as an educator he's a miserable failure.

This from our resident comedian Tom:

Spamming for Fun and Profit.

It is hard for me as a security professional to understand the logic of Professor Packetslinger. I have relatives in the fair city in which this prestigious state university resides. I am going to ask them to keep an eye on the local paper and shoot me off articles about the arrests. And I definitely will not recommend this school to my friends and relatives. My sympathy goes out to the students that will be forced into completing this assignment. My sympathy to their families, especially those who are caught and charged with computer crimes. I just hope that the dear professor gets to experience the full impact of his illegal, unethical and immoral acts and he too gets to spend some time behind bars.

How about the school?

As fellow Handler Lorna put it

Wonder how the school would feel about a law suit launched against THEM because of this assignment!

The school is allowing this assignment to go forward. They are as guilty of this crime as the professor and the students. They too need to pay the price and a lawsuit against them would be a small price to pay.

0 Comments

Published: 2006-02-28

Deja Vu - Snow.A

Notable behavior - "drops and install WinPcap network drivers", "flood network with spoofed arp packets (arp poisoning) " and "appends its code to all .EXE files in all drives, including mapped network drives and removable disks. Thus, it is able to propagate via the network and removable drives, such as flash drives and floppy disks."

Other - "first attempts to infect files which are running processes", "its main .EXE component respawns when it is terminated, making termination more difficult."

W32/Snow.a
http://vil.nai.com/vil/content/v_138727.htm

PE_SNOW.A

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_SNOW.A

0 Comments

Published: 2006-02-28

Followup on challenge "Spam, Recon or ??"

First off, I wanted to say thanks to all the folks willing to throw their hat in the ring on this one.  Analysis is fun and you will always find unique ways to look at things!  Right up front you have to know that sometimes you will never know what caused the traffic.  There are lots of lessons that you learn from doing analysis.  

First (which was the reason for this diary orginally) is not become complacent when looking at traffic.  That is one that will bite you in the end (no pun intended:>).  For example, remember in the diary that I initially wrote for this challenge I said "It has often been said that if you want to hide something, hide it in plain sight."  Well, that is so true and if you have read that diary entry called Malware: When "comments" become commands  it reinforces the same concept.  The malware is going to a specific website repeatedly.  However if you looked at the site, you would see nothing out of the ordinary.  Many folks don't even look at normal web traffic.  This is one that would fly under the radar, even with seasoned analysist as the malware spaced out the visits since it was on a timer.  However if you did an analysis of all your web traffic, this site might show up and might cause red flags.  The whole point is the author of this malware, hid everything in plain site and made it look like normal web traffic.

Second is to always try to detemine if there is a logical reason for the traffic before you don your tin foil hat and procede to think that there are folks everywhere who are after you.  A happy medium is required.  You need to determine for your organization and its security needs what is the best fit.  However, I hope this has made you think twice about just hearing a port and saying "oh it has to be ....." and never looking at it.  Or just seeing traffic and assuming that it is something without investigating it.

Let me start off by saying that alot of folks did alot of good work on this.  Even if your analysis was not on target, that's ok.  There were several things about this that led me down the same path that many of you took.  My analysis proved wrong later when we finally got captures of what it actually was.  However, kudos goes to fellow handler Don Smith, who nailed it right off the bat.  

So, without any more ado.....the results of the analysis.  As a refresher you can read the diary that started this all: 
Spam, Recon or ??: You make the call!!

The packets turned out to be what some folks (to include Don) thought it was and that was pop-up spam rejects where the spammer was spoofing the IP range of our submitter, which is why he got the ICMP responses back.  Here is a capture of the payload of some of the traffic:  Payload of ICMP Packets

There were several things that many of you caught that made you wonder if this was indeed pop-up spam.  Some made me wonder too such as three types of ICMP messages (can expect this if you are probing the security of the network), source port of 0, DF (Don't Fragment) flag set on a few of the packets (seemed strange when you are doing UDP and such a small payload on it), TTL timeouts on some (why would you set it so low if you want to get spam through and ensure it doesn't timeout), ICMP Type 11 (Time Exceeded) had IPs getting two packets each while the ICMP Type 3, Code 13 (Communication Administratively Prohibited) did not duplicate IPs.

Yeah, many things caught my eye on this traffic the same as it did yours.  From all indications though, its just pop-up spam.  Here are some of your thoughts and analysis on the traffic.  Some of these do not have a name associated out of honoring the submitter's request.  Other requests were submitted, but folks asked not to be included.  To everyone who submitted an analysis, I thank you!  If I accidently skipped someone, please let me know and I'll be happy to include you in here.  It was fun and I hope everyone learns from it.  We'll have to play again sometime!

0 Comments

Published: 2006-02-28

Out of cycle oracle patch part II

A few days ago we reported on a possible out of cycle Oracle patch. Unfortunately the details of Oracle are hidden behind a login system so the security officer's analysis takes much longer than strictly needed.

Integrigy published a report that might be of use to our readers.

--
Swa Frantzen

0 Comments

Published: 2006-02-28

Security Awareness (from students point of view)


Greetings everyone,
Sorry it has been so quiet the last 48 hours.  It is a rare that there isn't something to report in that time.    Perhaps this is the long quiet before a storm? 

As many of you realize, I work in Academia so a lot of my time is spent keeping your sons and daughters from doing stupid things on the nice brand new computers you bought them for graduation/birthday/Christmas. The rest of my spare time, I usually spend time trying to balance two seemingly opposite things:  securing our network and anything connected to it and at the same time  respect the need for our traditionally open network environment.   So anytime something comes out to help me in the security awareness world, then I am usually looking for ways to leverage it for the good of campus.

Last fall, the EDUCAUSE/Internet2 Computer and Network Security Task Force and the National Cyber Security Alliance had a video contest for students to come up with creative ways to raise awareness about security issues and recently announced the winners.  Their press release is located at http://www.educause.edu/PressReleases/1175&ID=1280  and the winner's videos are located at http://www.educause.edu/SecurityVideoContest/7103 .  It is very interesting to see security through the eyes of the younger generation.  And to think in a few short years, they will most likely be working for you or your company.  Most of the videos are good and have my creative juices going of how to better educate the students and the faculty alike.

I hope that in the corporate environment, maybe some of these may spawn better/newer security awareness ideas for educating your staff.  Perhaps some of the companies are large enough that you can create your own creative videos involving your specific security problems of the year.  Maybe you aren't that large, but I do encourage you to think outside the box for creative ways to raise awareness.

For those not ready do develop their own awareness program, SANS offers awareness training over the Internet for the corporate environment. It comes complete with motivational posters and on-line exams.

NOTE:  the security videos above do have a terms of use associated with them.  So, please do not steal them for your own commercial uses unless you have the permission of the owners.  However, if there is one you really like, send the owners a scholarship or offer them a job at your company after graduation.  You never know they might let you use it directly in your security training or record one especially for you.


0 Comments

Published: 2006-02-25

Winamp buffer overflow

We have been monitoring a reported flaw with Winamp 5.12 and 5.13. A buffer overflow condition with a playlist containing a long file name can cause the application to crash at best and execute arbitrary code at worst. To date, we are not aware of any POC that uses this vulnerability sucesfully for malicious purposes. This problem is fixed in Winamp 5.2 so users are advised to update. More details about this issue can be found at http://secunia.com/advisories/18848.

0 Comments

Published: 2006-02-25

Plugin auto-installation a good thing?

A vulnerability was recently discovered within the Macromedia Shockwave installer that allowed for a malicious site with specific content to deliver arbitrary code for execution as a part of a plug-in ActiveX installation script. The vendor has reportedly fixed this problem with the installer to eliminate this vulnerability. However, to be cautious, if you intend to user Shockwave, it would be advisable to do so directly from the vendors site, rather than allow auto-installation of the plugin to occur from a random site with content requiring the plugin. The original advisory and more details can be found at http://www.zerodayinitiative.com/advisories/ZDI-06-002.html.

0 Comments

Published: 2006-02-25

Malware: When <!-- comments --> become commands

It's always exciting to find something that you have never seen before! Most of the time it's the same malware that's been repacked or just a new flavor of it. However, not yesterday. Yesterday was a day to remember! A reader submitted an attachment that they had received at their organization. It was carefully worded to get the users to want to read the email and open the attachment. That is where this adventure begins! I passed it through Norman and it saw nothing. I also passed it though VirusTotal and it only got a few hits but it wasn't detected by the major AV folks.

I started to look at the malware and got it unpacked in my faithful debugger when I saw some strings that always peak my interest...those that give you a command shell. I always like those. There was also a URL in the strings, so I fired the malware up in my VM and saw that it indeed wanted to go to that URL. I looked at the source code for the actual URL and found nothing really unique about it. There were two .htm files in that websites directory structure. One we'll call "File.htm" and the other "file2.htm". A regular user gets "file.htm" when they visit the site, but the malware wanted "file2.htm". The only difference between the two files were 8 little characters commented out at the top using html comments "<!--" and --> which seemed interesting.

Well, if it wants a website...give it a website (isn't VM great). I set up a website for my malware using copies of the htm files from the actual site and sent it on its happy way. A packet capture showed the malware going to the website, establishing a connection, getting thefile it wanted, sending an ack for it and then a rst ending the connection. My curiosity was peaked but what exactly was the purpose of it going to that specific site? So when I encounter something new and cool and really need an expert on the code.....what do I normally do.....find my fellow handler Tom Liston and see if he has time to play!

Tom (many thanks to you Tom!) and I spent alot of time looking at this and the mystery is not yet solved as to how it is working in its entirety. But its scary as it currently exists. Not the delivery of it, but the malware itself. The malware gets installed by a user clicking on a link in the email to download a file and then opening that file or by opening the attachment and running it. The .exe installs itself and runs as a service. The malware contacts the site and does a GET, the site passes the page back and looks just like normal web traffic to the casual observer. The malware however parses the first 64 bytes of that page it gets which means it grabs those unique little characters at the top and a little more. Then it uses a delimiter of <!-- for the left side and --> for the right side and pulls the characters out of the middle. It runs them through several commands, but it doesn't appear that the string on the page is the one its looking for right now. Nothing is happening with it at this point. We have theories as to what the malware is doing and we are working to confirm them.

However it doesn't take take much to realize that it is a unique approach and many nasty things could be done. Its really just another sad indicator as to the direction that malware is going and the more difficult our battle is to keep our networks secure.

0 Comments

Published: 2006-02-25

Out of cycle Oracle patch?

We recently received a report about a potential out of cycle patch related to Oracle Diagnostics called "Diagnostics Support Pack February 2006 with Oracle Diagnostics 2.3 RUP A". We currently have no verification on what it is or what it does. If anyone has any details about this patch, please let us know!

T. Brian Granier
Handler on Duty

0 Comments

Published: 2006-02-24

OS X is clearly on the radar of exploit-developers.

Love it or hate it, OS X users need to exercise increased vigilance.

Soon, even your beloved little Mac laptop will be spending its spare CPU cycles sending out advertisements for Viagra and Cialis.

The recent news of these vulnerabilities in the OS is getting plenty of attention.  Some would argue that things are being blown out of proportion.  I think there is some lazy journalism, and sensationalism afoot.  Yet, like any FUD-storm there is usually some kernel of truth.  In this case, this kernel is not so small and insignificant.

A quick review of some critical points:

  • The OS X Finder issue allows arbitrary execution of code.
  • There exists proof-of-concept code that demonstrates this vulnerability.
  • There exists easy-to-use tools in the wild to actively exploit this vulnerability.

  • The Bluetooth Directory traversal vulnerability (Bugtraq ID 13491) allows an attacker to access arbitrary files on the system.
  • There exists malicious code in the wild that exploits this (OSX.Inqtana.A –no CME available)

  • OS X has a disparity of controls when it comes to file headers and file icons. 
  • This was exploited by OSX.Leap.A


Secure or Easy-to-Use: Pick one.  "Security is a compromise" is a well-known axiom.  In an effort to use as little hype as possible I only suggest that now is the time for Mac users to seriously consider anti-virus, personal firewalls, and safe browsing habits.  It is the time for Mac sysadmins to develop strong patch management policies.  This likely means that a Mac is no longer the no-brainer-choice for what computer to get for your parents.

It would also be simply splendid if Jobs would release his patch clusters on any day other than MS Tuesday.

0 Comments

Published: 2006-02-24

A Sad-day for Customer Service

Today at the day-job we crossed a threshold.  Some would say we took a step backward.  As of today, everyone who sends an email to our abuse@dayjob address will receive an auto-response.  The old days of a human response within 24 hours are now forever-gone at my organization.  The increased load of traffic and the plummeting percentage of messages that actually needed a response have brought us to this decision.

Let there be a Moment of Silence.

0 Comments

Published: 2006-02-24

Where are all of the articles?

It has been ever-so-quiet on the diary.  What is it that we could be up to?
There's quite a bit going on that we can't publish (not everyone who writes in wants their name in lights.)  Nothing worth changing the InfoCon over.  Suitably-obfuscated reports will be released later.

0 Comments

Published: 2006-02-22

Mwcollect and Nepenthes merging

If you are into malware research, it might be of interest to you that the two (in my opinion) best malware honeypot projects have decided to join forces.  See http://www.mwcollect.org/ for details.

1 Comments

Published: 2006-02-22

Antiphishing.org Trend Report

In case you've missed it, the Anti-Phishing Working Group have published their latest (December 05) trend report a couple of days ago. Interesting as always. See http://www.antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf

0 Comments

Published: 2006-02-22

W32/Feebs again

Looks like a new variant of W32/Feebs is making the rounds. Fellow handler Bojan has spent quite some time with de-obfuscating the JavaScript and VB code, and we're still looking at what it does besides downloading base64 encoded versions of W32/Feebs. You might want to zapp access to *.coconia.net / *.by.ru / *.kazan.bz / *.t35.com / *.freecoolsite.com / *.nm.ru until the AV vendors have the patterns lined up.

If some of these domains sound vaguely familiar.... http://isc.sans.org/diary.php?storyid=1035

Update 1023 UTC: Looks like it spreads as an email with subject "Secure Message from GMail.com user", and contains a ZIP attachment (data.zip in the sample at hand), which in turn contains a file "Encrypted Html File.hta", which contains the heavily obfuscated Javascript exploit code that triggers the W32/Feebs download from the above sites.

Update 1700 UTC: AV detection is available by now, at least from some of the "bigger" vendors.
BitDefender|7.2|02.22.2006|Win32.Worm.Feebs.1.Gen
Kaspersky|4.0.2.24|02.22.2006|Worm.Win32.Feebs.cb
McAfee|4703|02.22.2006|W32/Feebs.gen@MM
Panda|9.0.0.4|02.22.2006|Suspicious file
Sophos|4.02.0|02.22.2006|W32/Feebs-Gen
Symantec|8.0|02.22.2006|W32.Feebs


0 Comments

Published: 2006-02-21

Sophos false positives on Mac OS X

We got several reports about false positive detections in various Office 2004 and Adobe files by Sophos on Mac OS X.
Files were detected as infected with OSX/Inqtana-B (Sophos' analysis).

We've been also informed that Sophos pulled the incorrect IDE file and fixed the problem. If you experience these false positives, be sure to download the latest IDE files.

0 Comments

Published: 2006-02-20

Serious flaw on OS X in Apple Safari

We received notice from Juergen Schmidt, editor-in-chief at heise.de, that a serious vulnerability has been found in Apple Safari on OS X.  "In its default configuration shell commands are execute[d] simply by visting a web site - no user interaction required."  This could be really bad.  Attackers can run shell scripts on your computer remotely just by visiting a malicious website.

Full text of the article: http://www.heise.de/english/newsticker/news/69862
Proof of concept from the original discoverer (Michael Lehn): http://www.mathematik.uni-ulm.de/~lehn/mac.html

The problem is due to a feature that is activated by default: Open Safe Files after downloading.  A zip file is considered safe and so they will be opened automatically.  Subsequently, a shell script with no #! at the beginning of the script will be executed automatically.  No user interaction!

Recommended action: disable the option "Open 'safe' files after downloading" in the "General" preferences section in Safari.


0 Comments

Published: 2006-02-19

Getting viruses out of the AVG virus vault

Recently, I needed to explain to someone how to get a virus out of the virus valult included in the free version of AVG anti-virus for submittal so I could analysis it. For additional information on the free version of avg try their forum http://forum.grisoft.cz/

Here are the steps I documented.
I loaded a test virus named eicar on my system to work out the details.Its not really a virus. It will not spread, infect or damage your computer. Rather its a string that nearly every antivirus product recognize as a virus.
More information on eicar is available here: http://www.eicar.org/anti_virus_test_file.htm

This process includes disabling portions of your antivirus software. Don't forget to reenable it and I would recommend you disconnect from ALL networks while your av scanner is disabled.
AVG's virus vault is located in a hidden folder at the "top" of the C drive.
Its called C:\$VAULT$.AVG.


Steps to export viruses from the AVG vault for analysis.

 1: Create a directory to store the files in.
 2: Open avg.
 3: Select the virus vault.
 4: Click on the virus you wish to restore.
 5: Choose restore, that will prompt you for the directory to restore the virus into.
 6: Select the directory created in step 1
 7: avg will alert again if its in active monitoring mode. choose continue.
 8: Turn off avg resident shield protection if you plan to package the viruses up for submittal for malware analysis.
 
9: Select the AVG resident shield and unselect "turn on avg resident shield protection", Click apply.
     Remember to turn resident shield back on as soon as your done with the virus.

 Steps to package up a directory of infected files for submittal malware analysis.

 
1: open winzip
     If its not installed you can get a 45 day trial version here http://www.winzip.com/.
     If you use it more then 45 days please pay for it.
     I wrote these directions assuming you will choose classic winzip not the wizard during installation.
 2: Select new
 3: Select a filename and location. C:\bad is the one I used. This is where the zip file will be created.
 4: In the options portion select the box that says encrypt added files.
 5: In the "look in" bar go to the directory you saved the virus in (infected).
 6: Type a password. You will have to verify it. Any encryption is usually acceptable. "infected" is the
     most commonly used password for anti-virus vendors and malware analysis professionals.

0 Comments

Published: 2006-02-19

DHS wants your comments.

DHS wants to improve software security.

They have put up a website to help programmers make more secure software.
They would also like comments on two documents.
The Software Lifecycle, and The Software Assurance Common Body of Knowledge.
The documents and an online comment form are available at the Build Security In Website.
Comments on the two documents are due by Tuesday, February 21.
https://buildsecurityin.us-cert.gov/portal/resources/

0 Comments

Published: 2006-02-18

The 866-PC-SAFETY poll

Well, we put the current poll up on Tuesday when we heard about problems installing the KB913446 via Microsoft Update.  In 4 days, we've had over 2600 responses and the surprising result is that more than half of the respondents didn't even know about the number even though it is included at the bottom of all of the Microsoft security bulletins.  I guess Microsoft's marketing folks need to do a better job of publicizing it.  Another common theme in the responses is that the 866 number is only available from the US and Canada.  If there are similar numbers in other contries (I guess there are, see the first link below), that fact needs to be publicized, too.  I think we'll probably be mentioning the number every month on Black Tuesday since calls related to problems with patches are free (as are worm/virus-related calls according to the second link below).

You can find the international support numbers at http://support.microsoft.com/common/international.aspx
Also see http://www.microsoft.com/gp/securityhome for other ways of contacting/getting info from Microsoft about security-related problems.

-----------------------------------
Jim Clausing, jclausing --at-- isc.sans.org

0 Comments

Published: 2006-02-18

New variant of mambo exploit making the rounds

We've gotten e-mail from some of our readers that indicates a new variant of the Mambo/XML-RPC exploits from last year (see http://isc.sans.org/diary.php?storyid=870 and http://isc.sans.org/diary.php?storyid=823) are making the rounds.  As far as we can tell, it still exploits the same vulnerabilities, so those who patched last year should be okay, but obviously there are some servers out there that haven't because we have word of a few that have been defaced via this exploit. :(

-------------------------
Jim Clausing, jclausing --at-- isc.sans.org

0 Comments

Published: 2006-02-17

More spam for your inbox

It's nice to see that all the spam countermeasures that we deploy actually are effective. How do we know that? Well, spammers are constantly trying to exploit new tricks against various spam detection methods, with more or (usually) less success.

One of the latest "tricks" from their bag consists in sending extremely short e-mails in order to starve the decision matrix of the Bayesian classifier.

The sample e-mail below looks like a desperate move by a spammer in order to evade spam detection.



We can see that in the e-mail body there is only couple of words, but there is a ZIP archive as well. In the archive there is a HTML web page, together with some disclaimers(!!). The HTML web page is the actual spam content (this time being some porn spam advertisement with links to PayPal; they're obviously trying to make some money).

The disclaimer is even more interesting:

  XXX Content Warning
  .............................................

  Please read and comply with the following conditions
  before you continue:
  .............................................

  I am at least
  21 YEARS OF AGE.

And so on. This is probably some kind of legal defense as they are advertising porn web pages.

We've seen two variants of this spam. They are basically similar, but in the other case the ZIP archive is actually password protected and password is listed in the message body. This can cause various e-mail gateways to alerts (as this looks pretty much like a worm).

0 Comments

Published: 2006-02-17

Apple's Ode to Hackers

I've been told I have an odd sense of humor.

So, I have to wonder if the poetry embedded into OS X is funny to anyone but me.


0 Comments

Published: 2006-02-17

Mac OS X Bluetooth Worm

The F-Secure weblog is reporting a poof of concept worm for Mac OS X 10.4 (Tiger). that tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333.


0 Comments

Published: 2006-02-17

Multiple Exploits Avaliable for MS06-005 and MS06-006

The 'sploit writers have been busy.

In the last 24 hours a total of four exploits have been released - two each for MS06-005 and MS06-006.

MS06-005 - Vulnerability in Windows Media Player Could Allow Remote Code Execution

MS06-006 - Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution


0 Comments

Published: 2006-02-16

Mac OS X trojan - OSX/Leap

Readers have written in about the new Mac OS X trojan that are spreading via iChat. This one looks like difficult one to propagate widely. The trojan masquerade itself as a JPEG file wrapped in a tgz archive. User will have to deliberately decompress the files and open (execute) the resulting JPEG in order to get infected. Unless the user is already running as admin, admin password will be prompted as well.

You almost have to work hard to get infected, seems like this is just the beginning of more Mac OS X malware to come in the future with stronger capability to spread.

Details can be found at:

http://www.ambrosiasw.com/forums/index.php?showtopic=102379
http://www.macrumors.com/pages/2006/02/20060216005401.shtml
http://vil.nai.com/vil/content/v_138578.htm

------------
Jason Lam

0 Comments

Published: 2006-02-16

Malware Analysis Quiz 6

Welcome to the Linux world! Yes, this time, for those following my quizes, it is a linux based one...Not much information is available, except for some log files and two suspicious files found on the machine...
I enjoyed to create it, as I hope that you enjoy to answer it!
Check it here! Any comment can be done to me at pbueno //&&// ( isc. sans. org ).

0 Comments

Published: 2006-02-16

MS06-005 proof of concept exploit released

The proof of concept exploit for MS06-005 has been released. The exploit craft a malicious BMP file to perform buffer overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file as well (such as .wmp), it's a good idea to get it patched ASAP.

------------
Jason Lam

0 Comments

Published: 2006-02-15

Linux kernel 2.6 ICMP bug resulting in remote DoS

Here we have a perfect example of how hard it is sometimes to stay abreast of security risks.  Thanks to Ronald for the heads up, it looks like there are a few additional mailing lists I need to consider subscribing.

Over a week ago, the 2.6.15.3 Linux kernel included a patch to address a bug in the icmp_send function that would crash the kernel resulting in a DoS.  The current latest stable Linux kernel is 2.6.15.4 available from http://www.kernel.org/.  Details are available at http://www.securityfocus.com/bid/16532/.

For mitigation, I choose to quote HD Moore since he has put it most simply 'The easy fix is to block ICMP until you upgrade your kernels...'.  'nuff said.



0 Comments

Published: 2006-02-15

SANS ISC Receives Award

The SANS Internet Storm Center was recognized Tuesday evening at the annual RSA Conference by receiving the SC Magazine Editors Choice Award for 2006.  We are deeply humbled by the honor and I would like to extend my appreciation to the many people behind the SANS ISC who make all of this possible.  The group of volunteer incident handlers that spend countless hours chasing all sorts of problems on the Internet are at the heart of the ISC and without them we could not exist - thanks ladies and gents!  Likewise, the large army of volunteers who run DShield sensors, those who participate in the email groups and online forums, and the thousands of readers who provide observations, thoughts, and analysis in support of making the Internet more secure are also part of this recognition.  Finally, kudos to the SANS Institute for providing the servers, Internet connections, and back office support over the past several years.  As we approach our fifth birthday I think that we have reached a significant milestone.  We look forward to many more years of collaboration and teamwork as we endeavor to build a more secure Internet.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2006-02-15

OS X Software Update to 10.4.5, and now I wonder if I missed one?

The Apple Product Security team released a security patch notice today regarding the latest available OS X Software Update.  This sets the current OS X revision level firmly at 10.4.5.  The Software Update detail refers to many networking/application updates but does not really mention the Kernel level system crash that may be triggered by a malicious local user.  Well, I'm not going to be giving local system access away to my machine to find out what that case might look like.

I do find it interesting that at the time of my viewing of the following URL for the apple.com knowledge base detailed information Security Update page the most recent entry is from Jan 10th.  There is no mention of a Kernel issue there, though I'm sure they'll catch up. http://www.info.apple.com/kbnum/n61798/  

A worrisome observation that may simply be my failing senses, is that my Powerbook which as of this writing is running 10.4.3, and today we have the 10.4.5 release.  I'm pretty good about paying attention to software updates, did anyone else experience this loss of awareness?

I unfortunately do not have a test subject (i.e. coworker) to have patch their OS X installation first, so I'm going to bite the bullet and go for broke.  Software Update here I come... <<CONNECTION TERMINATED>>

:)  Just kidding.  I really do like my powerbook.

0 Comments

Published: 2006-02-14

Problems with MS patch KB913446 (for the IGMP issue, MS06-007)

A number of our readers have written in (and some of the handlers have duplicated the issue) to report that when using Microsoft Update or autoupdate the patch (KB913446) downloads, but fails to install with Error Code: 0x80242006.  The version located here, however, does not appear to have this issue.  Until Microsoft fixes the former, you may want to install that one patch manually.  Our summary of all of the bulletins will be posted shortly.

0 Comments

Published: 2006-02-14

Happy Valentines Day and Black Tuesday

Yes that is right.  It is the joyful Microsoft Patch Day and your faithful Storm Center volunteers are hard at work analyzing the information as it is made available. 

Stay tuned for the updates on the little fellars.


0 Comments

Published: 2006-02-13

New IE 0-Day Drag-N-Drop-N-PopUnder-N-GrabFocus-N-DoTheHokeyPokey Vuln.

Info on a new "0-day" IE Drag-n-Drop vulnerability can be found here.  All things considered, it looks to be a might bit "complex" to come off well, but it may very well be usable.  However, I would say that it'll probably be sitting near the bottom of the list of most popular attacks as long as we still have machines out there vulnerable to WMF and other, easier to do, nasties.

0 Comments

Published: 2006-02-13

Phollow the Phlopping Phish

Disclaimer: Normally I hold forth in a series of diary entries titled "Follow the Bouncing Malware," but today, we're going to take a walk down a different path: we're going to phollow a phish and see where it takes us.  Along the way, while we won't be getting down and dirty with bits and bytes, we will talk a little about scams, social engineering, and some of the plain old dumb things that companies do to make livin' la vida loca off of a phishin' net all too easy.

Strap in, boys and girls... it's gonna be a bumpy ride.

You grab a line, and I'll grab a pole...

"It just isn't fair," thought Joe Sixpack as he sat grumbling at his desk.  His boss and the Director of IT had just spent the last 40 minutes chewing him out over something that wasn't even his fault.  He needed more space on his computer for his MP3s, and those stupid .DLL files had been taking up so much room...  How was he supposed to know they were important?

He was in the middle of a particularly good daydream involving the boss, a cattle prod, the hot little receptionist from accounting, and a Labrador retriever, when he was distracted by his freshly re-installed computer's brainlessly chipper pronouncement: "You've got mail!"



Now Joe Sixpack was no dummy.  He knew all about those online scams that tried to trick you into giving out your personal information... what were they called... "phoning"... "pharting"... "phishing"... That was it: phishing!

He was going to be really, really careful.

The email looked to be authentic... it had the Mountain America logo, and it certainly sounded authentic, especially when it warned him that his credit card would be "disabled" if he didn't do what it asked.  Those bankers... Type-A personalities, all of them.  He couldn't let his credit card be disabled!  He had just gotten his cable bill set up to be paid through his Visa!

Joe pulled out his wallet and looked carefully at his Mountain America Visa card, and it did indeed have the correct numbers, just like those shown in the email.  He was pretty certain that the only way anyone could know that his card had those numbers on it was if they were Mountain America, but he decided that he had still better be careful.  What was it that his boss had said earlier?... Something about Joe being so stupid that if he saw a sign saying "wet floor," that he would.  Well, he wasn't stupid, and he would prove it.

Looking at the email, he saw that there was a link in it.  He thought back to the in-service that the Director of IT had held a few months back.  It was a particularly memorable experience for Joe, because he managed to sit right next to the hot little receptionist from accounting, and he was able to spend most of the boring talk peeking down her blouse.  While he remembered little of the actual meeting (beyond the receptionist's taste in lacy undergarments) Joe thought he recalled something about links in email being bad.  Yes... yes... that was it.  You were never supposed to click on a link in an email... clicking on link was a bad thing but the exact reason it was bad was somehow all mixed up inside Joe's brain with hazy visions of something hot-pink from Victoria's Secret.

In any case, he wouldn't click on the link... he would re-type the address of the website.

As he typed in the address, https://www.mountain-america.net, Joe thought that it seemed a bit odd.  He thought that he remembered that the correct address for the Mountain America website was different.  But he also remembered a few months back, in the midst of a similar "I'm not stupid" episode following a similar butt-chewing from the IT Director, he had tried to prove that the real Credit Union site was bogus because it contained links to another site with a funny name.  The IT Director had patiently explained that while it wasn't a good thing, sometimes banks and credit unions used other "special purpose" sites for...well... special purposes.  He explained that those sites could cause people to be confused, just as Joe had been, and because of that, it wasn't a good idea.  He had also showed Joe how to confirm that the site did indeed belong to the bank.

Because, on that occasion, the IT Director wasn't competing with cleavage and lace for his attention, Joe actually remembered exactly what he had said and done.  Keeping that in mind, and after carefully typing the website address, Joe checked out the page that appeared before him:



Sure enough, there at the bottom of the screen, he saw what the IT Director had clicked on:  the little lock.  Joe clicked, and was presented with a new window that explained that the site was indeed legit... someone called Equifax (that was trusted by his browser) vouched for them.



"Cool," though Joe, "I'm really getting the hang of this whole Internet thing!"  And, just to prove that he was... what was it his son always said?... oh yeah..."leet,"...he clicked on another button on the window.  This brought up an entirely new window, filled with mind-numbing gobbledygook.

 

Joe puzzled over this window for a few moments, trying to make sense of it.   It appeared to have something to do with proving that this website was really owned by his credit union, but most of it seemed to be written in a foreign language.  He looked it over a few more times and was just about to close the window when he noticed what looked to be a website address on one of the lines.  The address pointed to something called "businessprofile.geotrust.com," and although he didn't know if it was important or not, he typed it into his browser's address bar to see what he could find.



Wow... he really was "leet."  It appeared that he had found even further confirmation that this website was legit, this time from a company called "ChoicePoint."  Right there, it said that the website address was part of Mountain America of Salt Lake City, UT.

Joe knew that the headquarters of his credit union was indeed located in Salt Lake City... it said so on every quarterly statement that he received.

If his credit union thought that it was important that he registered for this Verified by Visa program, then hey, he'd do it.  He was humming to himself and thinking happily of the hot little receptionist from accounting as he typed in his Visa card's number...

...and we'll go phishin' in the crawphish hole...

So, what did Joe do wrong?  Well... for once: nothing.

He went above and beyond what we could possibly expect an end user to do.  And yet he still got phished.

He didn't follow a link.  He checked the certificate.  He even went so far as to double-check the certificate issuer's facts.

Joe was let down by the very infrastructure that was supposed to be there to protect him.

What happened?

I talked earlier today to a representative of Equifax/GeoTrust, and asked a simple question:  how do you confirm that someone really is who they claim to be when issuing an SSL certificate?  I got a response that sounded really quite good.  There was official documentation required: copies of business licenses, articles of incorporation, etc...  There was official confirmation required: checks made with the Secretary of State's Office in the state of incorporation, a requirement that the business be in good standing, etc...  

And still, some scummy phisher got an SSL certificate that appears to link him back to the actual credit union.

I asked about the ChoicePoint information and whether it was used as verification and was surprised to learn that ChoicePoint wasn't a "source" of data for the transaction, but rather was a "recipient" of data from Equifax/GeoTrust.  According to Equifax/GeoTrust, "as part of the provisioning process with QuickSSL, your business will be registered with ChoicePoint, the nation's leading provider of identification and credential verification services."

What more could any burgeoning identity thief ask for?

What is going on here?  How can this be happening?  Internet e-commerce is founded on SSL, and SSL is founded on the trust that the companies handing out SSL certificates are doing their homework and are verifying that the companies sitting behind their certs are who they say they are.

To paraphrase one of my favorite movie lines: "What we have here is a failure to authenticate..."

Finally, banks and credit unions that send out email with clickable links teach their customers incredibly dangerous habits.  Financial institutions that use multiple domain names are setting their customers up for disaster.  And, of course, any financial institution that isn't checking their referrer logs for odd and unknown sites is a time bomb waiting to explode.

Come on folks.  It's hard enough to keep the end users from shooting themselves in the foot... don't give them a loaded gun.

0 Comments

Published: 2006-02-12

Exploit #2 released for for Windows Services Insecure ACLs Local Privilege Escalation

Exploit #2 has been released for the Windows Services Insecure ACLs Local Privilege Escalation Vulnerability, described in MS Security Advisory (914457) "Possible Vulnerability in Windows Service ACLs".

0 Comments

Published: 2006-02-12

Targeted Trojan attacks?

Update

I received a number of responses to the Diary entry below reporting similar _emails_. The reports showed or pointed to HTML emails with similar contents and construction. Examining the emails after setting MS email clients to "text" only will render a GIF attachment to the email.

In a few cases the html emails were flagged as phishing email by various AV products. In one case the email was flagged as both a phish email and seperately as a trojan/pwstealer/keystrokelogger.

I received analysis summary results of the Sun site's illicit.GIF file from two AV sources. Their analysis were similar. Since they were similar, quoting one "The only thing I would add is that it has been verified the GIF is not some executable code, but just a 'clean' image inside an HTML email where the image is hyperlinked.  Clicking on the image takes one to a phishing site."

Thanks Mugg and Eric Chien for taking the time to follow up on the Diary .

So that leaves me with many other protection, detection and incident response  questions that the results of their analysis begs, I'll look at those and report any results as resources allow.

Thanks again to everyone who submitted information, samples and pointers to samples.

Original Diary Entry Follows;
You have to love it when malware blows through your ISP's Email gateway AV, hits your desktop, and only 2 vendors flag it. This has been occuring regularly over the last few months. Some of todays email details are below. At this time only F-Secure and Kaspersky catch it, F-Secure says "malware found Trojan-Spy.HTML.Bayfraud.in (virus)".

After Googling the Subject of the email I'm writing about, "eBay Customer Notice: Details Confirmation", I saw a few returns, one was at archives.java.sun.com. Sun has been notified.

That page also references the trojan I was sent, only the image name is different, at the sun site it's named illicit.GIF [image/gif] and there's date/time visible on the page display [Fri, 21 Oct 2005 23:44:45 +0100], who knows how trustworthy that date information is. If it's accurate and based on the Jotti and Virustotal results next, it's a touch troubling.

If you're seeing any of these please drop us a note. Thanks!

illicit.GIF analysis results at Jotti and Virustotal.

Jotti.Org says
File:  illicit.GIF 
Status:  INFECTED/MALWARE 
MD5  15492310e33e16810c4d880b8f343f8d 
Packers detected:  -
Scanner results 
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found Trojan-Spy.HTML.Bayfraud.in 
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing

This is a report processed by VirusTotal on 02/12/2006 at 20:13:06 (CET) after scanning the file "illicit.GIF" file.
Antivirus Version Update Result
AntiVir 6.33.0.81 02.11.2006 no virus found
Avast 4.6.695.0 02.10.2006 no virus found
AVG 718 02.10.2006 no virus found
Avira 6.33.0.81 02.11.2006 no virus found
BitDefender 7.2 02.12.2006 no virus found
CAT-QuickHeal 8.00 02.11.2006 no virus found
ClamAV devel-20060126 02.12.2006 no virus found
DrWeb 4.33 02.12.2006 no virus found
eTrust-InoculateIT 23.71.74 02.11.2006 no virus found
eTrust-Vet 12.4.2074 02.10.2006 no virus found
Ewido 3.5 02.11.2006 no virus found
Fortinet 2.54.0.0 02.12.2006 no virus found
F-Prot 3.16c 02.09.2006 no virus found
Ikarus 0.2.59.0 02.10.2006 no virus found
Kaspersky 4.0.2.24 02.12.2006 Trojan-Spy.HTML.Bayfraud.in
McAfee 4694 02.10.2006 no virus found
NOD32v2 1.1404 02.11.2006 no virus found
Norman 5.70.10 02.10.2006 no virus found
Panda 9.0.0.4 02.12.2006 no virus found
Sophos 4.02.0 02.11.2006 no virus found
Symantec 8.0 02.12.2006 no virus found
TheHacker 5.9.4.094 02.10.2006 no virus found
UNA 1.83 02.09.2006 no virus found
VBA32 3.10.5 02.11.2006 no virus found

Some Email details;

Return-path: <support_num_3381305590018@ebay.com>
**snip**
Received: from ppp85-141-237-194.pppoe.mtu-net.ru ([85.141.237.194])
 by orngca-mx-08.mgw.rr.com with SMTP; Sun, 12 Feb 2006 13:52:34 -0500
Date: Sun, 12 Feb 2006 14:43:23 -0400
From: eBay <support_num_3381305590018@ebay.com>
Subject: eBay Customer Notice: Details Confirmation [Sun, 12 Feb 2006 21:46:23 +0300]
To: pnk@nycap.rr.com
Message-id: <4oomdf$ha2v4r@orngca-mx-08.mgw.rr.com>
MIME-version: 1.0
X-Accept-Language: en-us, en
Fcc: mailbox://support_num_3381305590018@ebay.com/Sent
X-Identity-Key: Id7
X-Virus-Scanned: Symantec AntiVirus Scan Engine <=== Gateway AV
Original-recipient: rfc822;pnolan
Content-Type: multipart/mixed;
  boundary="----=_cKusyvfBPGgnaHbQBgKUeaDHKTZHAlKYr"

Attachment name patch.GIF

Subject eBay Customer Notice: Details Confirmation

UPDATE I received a different piece of malware five minutes later ( ; ^ ), through the ISP Email Gateway AV undetected. There was no attachment, Subject is "Please Check Your Account !"

0 Comments

Published: 2006-02-12

Honeyd 1.5 Released

Honeyd 1.5 has been released, in addition to improvements this version corrects Remote Detection Via Multiple Probe Packets which affects prior versions of Honeyd.


0 Comments

Published: 2006-02-11

New Exploit for HTML Help Workshop vulnerability

Only 5 days after the release of the vulnerability, two exploits are on the street.  Both exploits, tested on WINXP SP2, will give the attacker the ability to run code of her or his choosing on the compromised machine.  As of this writing, a patch has not been made available, as far as we know.

Windows XP SP2 is not vulnerable in its default configuration. Microsoft noted that the HTML Help Workshop SDK has to be installed in order for the exploit to work. This SDK is a self contained download and at this point we are not aware of anything that would bundle this SDK. Given that is is an issue with this particular application, there is a chance that it may be exploitable on Windows versions other then XP SP2.

Summary:
- Vulnerability in HTML Help Workshop SDK, which is not installed by default.
- Exploit tested on Windows XP SP2.
- Exploit may work on other platforms that have HTML Help Workshop SDK installed, but we haven't tested it yet.

Please let us know if you have this SDK installed, in particular if it came bundled with other software.

See this URL for more details:

http://users.pandora.be/bratax/advisories/b008.html
http://msdn.microsoft.com/library/default.asp?
       url=/library/en-us/htmlhelp/html/vsconhh1start.asp

Tony Carothers
Handler on Duty

0 Comments

Published: 2006-02-10

Google Desktop Has New Features

We have gotten alot of questions and concerns over the new functionality implemented with Google Desktop.  

Here is a short blurb on Google's site about the functionality:
"Search Across Computers enables you to search your documents and viewed web pages across all your computers. For example, you could find files you edited on your desktop from your laptop. To activate this feature, you will need a Google Account (the same login you use for Gmail, Orkut, or other Google services). Remember, to search your other computers you must also install Google Desktop on them as well as enable the Search Across Computers preference using the same Google Account on each one."

More information about it can be found at:  http://desktop.google.com/features.html

The Google Desktop is a tool which users can choose to use or choose not to use it.  They simply offer a service.  By default, the functionality is not turned on.  To search other computers they have to be running Google desktop and have the "Search Across Computers" preference turned on each one of them as well as you have to have the same Google account to access them. 

To download the tool, you have to agree to their "terms and conditions" and their "privacy" policy. If you have questions, Google has a webpage for questions.

I think fellow handler Lenny Zeltser sums it up best in this statement: 
"It's google's job to provide useful tools and clearly state their privacy policy and data abuse issues. I'll leave it up to the users to decide whether they want to take advantage of the tool's new capabilities or not."

0 Comments

Published: 2006-02-10

Check Point Outbound Traffic Mystery

One of our readers, Jeff Peterson, submitted to us a packet capture that was coming from a newly built Checkpoint Firewall, Build 244 .  Here is what he observed in his own words:

"This file is from a freshly installed Checkpoint Firewall 1 VPN gateway.  This machine was off-line until installation was completed and policy pushed.

Once the service starts and the first login attempt is completed the interface of the machine starts blasting the captured information to two targeted destination IP's.....Installation is from a Checkpoint supplied CD."

I did ask about the base OS being a fresh install and here are his comments as well:

"Yes.  In fact I've built the server twice from scratch using only the checkpoint supplied CD which includes the OS and Firewall. Ie: SecurePlatform.  The outcome was the same both times"

Here is a short synopsis of the traffic being observed:

There are 4 UDP packets being sent to one IP address then switching to the other and sending 4 more.  This repeats itself over and over.  The one IP 48.28.223.239 doesn't appear to have anything assigned to it but belongs to Prudential Securities Inc.  The other IP 152.96.109.99 belongs to:

descr: HSR Hochschule fuer Technik Rapperswil
descr: Rapperswil, Switzerland

Dst Port is 57327/UDP
Src port is 32768

If you would like to see two example packets, you can view them here:
http://isc.sans.org/diaryimages/packets for checkpoint.txt

The issue went away with new CDs being obtained from the vendor.

This is the only report we received about this so far.  If you have observed similar traffic or have any ideas, please let us know.

0 Comments

Published: 2006-02-10

Spam, Recon or ??: You make the call!!

One of my favorite things to see come in to the handlers list are packets.  You gotta love packets!  Doing packet analysis is like trying to solve a puzzle, but without all the pieces and not knowing what you are supposed to build.  One of the things that you do have to be careful of is thinking that you've seen it all before.  What do I mean by that?  Well, what I mean is looking at traffic and you immediately tend to classify it into a category based on protocol and/or ports etc.  For instance maybe its UDP traffic on port 53, just DNS right?  Well, are you sure that's all that it is?  I know it's not feasible to look at everything, but when alerts/flags are raised I think we have a tendency to go "oh that just......we see it all the time".  But, did you actually look at it to be sure?  

It has often been said that if you want to hide something, hide it in plain sight.  It makes perfect sense.  If you want traffic to get through, make it look close enough to something else that no one bothers to take a second look at it.  

Today we got some logs submitted to us with some questions on the ICMP traffic.  Even though it's not a packet capture, there was enough data to do some analysis.  Here are the links to the files for your viewing pleasure:

http://isc.sans.org/diaryimages/icmpType3.log
http://isc.sans.org/diaryimages/icmpType11.log

It is interesting to note that several handlers looked at the traffic and many conclusions were reached.  I won't share with you our conclusions at this time, but I would like to see what the rest of you come up with.  Maybe you don't have an answer as to what it is (something you have to learn to accept when you analyze network traffic), but maybe you notice something unique about the traffic.  Here is a short summary.  ICMP error messages arrived at a host.  However, that host did not have any outbound traffic that would have generated the ICMP error messages.   Each of the error messages does contain the rough headers of the packet that caused the ICMP error messages.  I'll post later the analysis done by some of the handlers and the results that everyone else came up with.  


So, get ready to have fun and do some analysis!

0 Comments

Published: 2006-02-09

Blackworm/Nyxem Animation of Infections

There are some pretty neat animations up at CAIDA that show the rate of new infections of BlackWorm/Nyxem/Lots of Other names.  Essentially it shows the world-wide spread of the virus as it progressed (along with a pretty detailed analysis of the worm as a whole).  It's a good read with nods to Swa and Lorna for their contributions.

0 Comments

Published: 2006-02-09

Microsoft Security Advance Bulletin (7 updates, at least 2 Critical)

Microsoft has put up the advance bulletin for next week's updates.  There are 7 total updates, with 2 or more of them being labeled as critical (1 for Windows Media Player, 1+ for Windows itself).  Also, they'll be releasing an update of their Malicious Software Removal Tool.  Looks like it will be an eventful Black Tuesday.

0 Comments

Published: 2006-02-08

Sun Java JRE sandbox bypass vulnerability

Sun has released an alert on 7 vulnerabilities in JRE. These vulnerabilities aare related to the use of "reflection" API in JRE. As noted in the alert, there is no workaround, upgrading to the latest version is the only solution.

These vulnerabilities are also related to the "java bug" warned by US-CERT and AUSCERT couple weeks ago, see here for details.

Sun advisory: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

------------
Jason Lam

0 Comments

Published: 2006-02-08

IE + WMF security advisory released by Microsoft (913333)

Microsoft has released a security advisory on a new vulnerability on IE having to do with handling of WMF image files. It looks like only the older version of IE are affected. This is not the same vulnerability as MS06-001 so there are more patching (or IE upgrade) coming up.

MS advisory: http://www.microsoft.com/technet/security/advisory/913333.mspx

------------
Jason Lam

0 Comments

Published: 2006-02-08

New Windows service ACL security advisory released (914457)

Microsoft has released a new security advisory on overly permissive ACLs on Windows services. Exploitation of the vulnerability can lead to escalation of privilege on the local machine. XP SP1 and 2K3 (without SP) are identified to be vulnerable.

MS advisory: http://www.microsoft.com/technet/security/advisory/914457.mspx

This issue seems to be the same as the one reported few days ago. Look here for more details.

------------
Jason Lam

0 Comments

Published: 2006-02-07

Old Cisco exploit tries to make a return:

Patrick Harper reported seeing attempts to access the http server in cisco routers with an old exploit (reported and fix in 2001) using level 16 to bypass authentication like this:
GET /level/16/exec/-///pwd HTTP/1.0

He reported seeing this traffic from many sources.

This has been fixed in IOS some time ago. However someone thinks they can get lucky and find some out of date routers.

Handler Don Smith advises: "Reporting this to the ISPs is a good idea.
They are often interested in anyone who is trying to break into a router:)"

One interesting property of this traffic is that it is not spoofed, a TCP 3-way handshake must be completed with the target before sending HTTP data such as a GET. That is true of all TCP based scans. TCPDUMP shows a P for PUSH so both ends are really talking. In a spoofed scan you never get farther than SYN. The SYN-ACK is sent back to the spoofed source who drops it most likely.

AAA.BBB.CCC.DDD.1873 > WWW.XXX.YYY.ZZZ.http: P [tcp sum ok] 99999
13645:1403813683(38) ack 221455884 win 64860 (DF) (ttl 107, id 46390, len 78)

2. The exploit is an old one, so why is it in circulation again?

Here is the original advisory form Cisco:
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

Best practices dictate turning off all unused services on a host. So go to your border router and if it does now have
"no ip http server"
in the configuration add it now. This will prevent this or any new http exploit from working on your router.

Some old tricks keep coming back, and Patrick thanks for sharing.

0 Comments

Published: 2006-02-07

Update Firefox to 1.5.0.1, the exploit is out

Exploit code for the recently announced Mozilla Firefox 1.5 QueryInterface() Remote Code Execution has been released as a part of the metasploit framework. Get yours today, firefox update to 1.5.0.1 that is (No links to exploits here, sorry) .

See http://isc.sans.org/diary.php?storyid=1091 for more details.

In addition, Thunderbird is vulnerable if Javascript is enabled. It is not by default. There is no update for Thunderbird available at this time.

0 Comments

Published: 2006-02-07

Corrupted Nyxems

The news about Nyxem (CME-24) are slowly ending, but the number of infected messages which are sent around still seems to be pretty high. Besides "normal" e-mails with Nyxem, we had couple of submissions (and noted this on couple of servers as well) about corrupted attachments.

Message bodies in these samples are completely the same as those being sent with working attachments, and the only difference seems to be in corrupted attachments.

If you remember, in some cases Nyxem will send MIME attachments; this was probably an attempt by the author to circumvent various filtering engines which may not expect an uuencoded file embedded in a base64 encoded MIME message part.

Beginning of those encoded files is almost always OK, and after couple of lines it gets corrupted.
The corrupted part will look similar to the one below (first line is from the good version, second from corrupted):

M3%!T;T10``!#;U1A<VM-96U&<F5E````1V5T1$,`````````!X;<,@````#V
M3%!T;T10``!#;U1A<VM-96U&<F5E````1V5T1$,`````````````````

The letter 'M' at the start of each line indicate the unencoded line length, which in this case should be 60 (77d - 32d = 45d = M; 45 characters were encoded to 60). You can see that the line length in the second example is less than 60, so it is clear that the encoding is damaged.

If you now try to decode this (for example, uudecode will try to decode this and will complain about an error), you'll get a corrupted executable. This file still has a valid header, so if you policy dictates blocking of executables on the e-mail gateway, this will be blocked.

Majority of AV vendors doesn't detect this. Of course, the file is harmless so theoretically there is no reason why they should detect this, but it would probably be nice to add definitions for these corrupted attachments, just so they don't confuse end users.
We've received submission from one of our readers that McAfee detects this as Generic Malware.a!zip.

Thanks to Mark Ackermans for a nice analysis of what's going on with the corrupted attachments.

0 Comments

Published: 2006-02-07

A Bump in the Wire

Watching the ports, there is a bit of activity on two that are of interest to us.  Take a look at your local flows and see if you are detecting increases on tcp/7212 and tcp/32768.  If you have any packet captures or analysis, please send it to us via our contact form.  Thanks!

Update
We got quite a number of responses regarding the TCP 7212 traffic. Jose Nazario si reporitng that he traced the scans to a proxy called "Ghostsurf". This proxy is frequently left open allowing others to hide behind it.

A netcat listener recorded traffic that supports this idea:

GET http://umsky.com/prx.php?p=p1234 HTTP/1.0
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: umsky.com
Connection: Keep-Alive

Only a small set of sources is currently scanning for this port.

0 Comments

Published: 2006-02-06

CAIDA Report on Blackworm

An analysis by David Moore and Colleen Shannon at CAIDA of the spread of the Nyxem (or Blackworm or Kama Sutra or MyWife or CME 24) Virus in January and early February 2006 is available from their web site.  This is a very nice analysis with descriptions, charts, graphs, and figures.

0 Comments

Published: 2006-02-06

Cyber Storm Exercise

We've had a few readers write to us asking about the US Department of Homeland Security's Cyber Storm exercise.  Right up front we should remind everybody that the DHS will not be firing cyber bullets at your networks this coming week.  The exercise is scenario-driven and is designed to test the intercommunication capabilities and response procedures for several agencies and some private sector companies.  More details are contained in a Federal Computer Week article published last week.  No information is available yet from the DHS public web site, but if we find out more we'll post the links.

0 Comments

Published: 2006-02-06

DShield is Famous

A little over a week ago the President of the United States visited the National Security Agency in Ft. Meade, Maryland.  The visit came on the heels of allegations that domestic eavesdropping laws were broken, and that the administration had exceeded its authorized powers.  We aren't going to pick sides on that one but there was a really nice photo that showed up in the Washington Post as part of the story that we should all be proud of.  When I first saw it, I thought:

Super-secret spy agency sensor grid - $Billions
Security for a visit from the President of the United States - $Millions
Showing the President that your prime source of information is a bunch of volunteers - PRICELESS!

See the photo or read the article.  The image you see behind the NSA Director is the Talisker Security Wizardry Portal, which includes the DShield world map along with other security information.

By the way, that DShield image doesn't just get there by magic.  It's the result of thousands of volunteers around the globe running sensors that feed information about data flows to a central database repository.  From there, DShield can detect early indications of new threat tools, worm activity, and other malicious trends.  It's no wonder that the NSA likes showing it off to the President!  But to make it work we need more volunteers.  Even if all you have access to is a SOHO router in your house you can probably submit logs to DShield.  Instructions are online at DShield and if you have any questions please drop us a note via our contact form.

Can you tell that Sunday was a slow day?  I suppose that everybody was preparing for the Super Bowl or recovering from the five computers affected by the CME-24 virus on Friday. 

That's OK.  We needed the breather.


Marcus H. Sachs
Handler of the Day

0 Comments

Published: 2006-02-04

Recovering LOST files from a hardrive

Help I have lost data files from my harddrive (due to CME-24 or other reasons).

First if at all possible TURN off the computer and put the infected drive on another system that is not infected.
If for one reason or another you can not you should cosider one of the cdrom or floppy based
recovery systems and an extra drive.

You should preform recovery to a different filesystem then the one being recovered from other wise you risk overwriting some files as you recover others.
Be aware some companies offer demos that identifies "lost" files but doesn't save the files it finds.
 
Here is a short list of forensic tools and data recovery tools.

Windows:

http://www.x-ways.net/davory/index-m.html
The free version is limited to recovering files of 200k or smaller.

Linux/Unix based tools:

http://www.sleuthkit.org/autopsy/

CDROM based Bootable images

FCCU GNU/Linux boot CD 10.0 from the Belgian "Federal Computer Crime Unit"
http://www.lnx4n6.be/index.php?sec=Downloads&page=bootcd

Fire from SourceForge
http://fire.dmzs.com/

FoRK from Vital Data
http://www.vitaldata.com.au/modules/tinycontent1/index.php?id=9
Requires a registration.

Here is a  good list of forensic's tools.

http://www.forensics.nl/toolkits

0 Comments

Published: 2006-02-04

CME-24 aka blackworm update

The numbers of infected emails have dropped off some
but we are still getting reports of CME-24 infected emails
being blocked inbound from several sources so the infection continues.

We are also getting a few reports of loss data due the malicious payload.

Many people have commented on the high counts of reported CME-24 in Puru and India.
One possible explanation comes from the way the worm updates the counter.
The worm hits its counter every time it starts up. Such as when a computer is rebooted.

So countries would have a higher hit count if they had
Older compters that require fequent rebooting.
dynamic IPs with a high rate of change
Systems that charge by the hour for connections (internet cafe')

0 Comments

Published: 2006-02-03

eXchange POP3

Some of our readers need to be calmed down I guess: It's not Microsoft's exchange. eXchange pop3 is from a 3rd party vendor. Find it at: http://www.exchangepop3.com/.

The good news is that it took the vendor about 2 weeks to issue a fixed version for download.

From the description the vendor makes a product that's to be installed on or close to a real exchange machine. So we're not out of the woods yet. The product offers connections between an exchange server and an external POP3 or IMAP mailbox. Yet it's SMTP service has a buffer overflow in it's handling of the "RCPT TO:" command. The exploit has been made public.

--
Swa Frantzen


0 Comments

Published: 2006-02-03

Looking for samples of W32.Kiman.A

Our malware analysists are looking for samples of the kiman worm.

If you have any please consider uploading it using our contact form.

--
Swa Frantzen

0 Comments

Published: 2006-02-03

Windows local privilege escalation - Windows access control

On January 31st 2006, a paper was published by Sudhakar Govindavajhala and Andrew W. Appel at the
Princeton University titled Windows Access Control Demystified. It took the hacker tool developers just a few days to publicly release their first exploit referencing it. The exploit allows local escalation of privileges. On an OS typically used by users who are all administrators that might not be considered the biggest thing ever. Still, it should be fixed by all vendors involved.

Now for the average administrator it might seem nearly ridiculous that allowing just one right too many can escalate that user begin able to run an arbitrary executable with all local rights he could wish for. Worse the problem is so obscure that many applications including some made by Microsoft and bundled with Windows XP did have that one too many right in it (uPnP and SSDP). Not only did they goof on it, so did Adobe, AOL, Macromedia and probably a few more.

I cannot help but notice the whole system of access control used in windows is rather complex and that might very well be the core of the problem. KISS is after all a principle that has proven through the years to work best in many cases.

Anyway that document and its implications are mandatory reading if you want to take away local admin rights of any user with any success. The consequence is as well that installing any software for any user needs to be done with extreme caution and security verification. Even is that one user needing the extra software is not your most restricted user, it still needs the full verification.
It is also mandatory for any developer making any application to understand this fully.

And as I said, I don't think it's easy to fully comprehend.

--
Swa Frantzen

0 Comments

Published: 2006-02-02

Mozilla Firefox vulnerabilities and upgrade

According to secunia's security advisory, several vulnerabilities were found in Firefox. Fortunately, Mozilla released Firefox 1.5.0.1 to fix them.

See the release notes and the list of security fixes.

--
Swa Frantzen

0 Comments

Published: 2006-02-02

CME-24 Analysis: The destruction does not appear to spread across Windows network shares

I wanted to share some of the results of some long hours spent looking at this malware.  When the infection occurs, it immediately places copies of itself  locally on each share and on each share/mapped drive that it finds.  Based on this behavior, my initial thoughts were that the destructive payload would be carried out via shares and/or mapped drives as well.

I now have changed my initial thoughts on how the destruction would occur.  Here are some of my notes from my testing of this concept.  Here is the MD5 from the file I was using:
1c66904ecb846da5b1fb2072f9ea6e0e *New WinZip File.exe

The first test I did led me to believe that the destruction would be carried out via the shares and mapped drives.  In my intial test, I had two infected systems (one XP and one W2K) with drives mapped to each other.  I infected each box, changed the system time to Feb 2 at 11:50pm, launched ethereal, filemon and ran the the first shot using RegShot.  After an hour, I stopped the captures and launched my second shot of the hard drive with RegShot.  All my data files were now over written, zip files were corrupted, etc.  Everything was happening as I thought it would.  All my mapped drives had corrupted files. The security logs from each box showed accesses from the other. 

Then I looked at regshot.  It showed the following registry key was created and pay close attention to the middle value that was added:
----------------------------------
Keys added:1
----------------------------------
HKEY_USERS\S-1-5-21-2052111302-839522115-2092228675-1004\Control Panel\BMale

----------------------------------
Values added:3
----------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun: D6 07 02 00 05 00 03 00 02 00 3B 00 01 00 00 00
HKEY_USERS\S-1-5-21-2052111302-839522115-2092228675-1004\Control Panel\BMale\Update: "z: [\\192.168.6.130\c$]\"
HKEY_USERS\S-1-5-21-2052111302-839522115-2092228675-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}
\Count\HRZR_EHAPCY:gvzrqngr.pcy: 08 00 00 00 06 00 00 00 60 C0 9A 42 D7 26 C6 01


Regshot showed a registry key being created on each that referenced my mapped drive to the other box.  Ethereal has traffic to from each box their respective mapped drives.  Everything pointed to the data being accessed via mapped drives.  However, to be sure I ran two more tests.

This time I tested from an infected W2K box to a clean XP box with mapped drives and some shares.  The malware placed copies of itself on all the mapped drives and shares.  I followed the same test procedures as described above using ethereal, filemon and regshot.  I set the time for each of these to be at 11:50pm on 2 Feb and waited.  The destructive payload occured right at 12:30am both times.  I think 12:30 is right on the money. The second time was 12:31, but I think filemon was logging slow due to the load.  So the 30 minutes is right on target.

According to the filemon results, it searches for each file type before moving on to the next file type.  However I did not see it search the same directories for each file type.  It appears some directories get searched for one file type, but not another. The order it occurred was:  

*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp

Here is something of interest that I noted which I have not seen documented anywhere.  It also searched for two other files a *.ppl and *.exe files.  Below you see the last lines when it is looking for the *.dmp files.  

Update.exe:992    OPEN    C:\WINDOWS\system32\1037\    SUCCESS    Options: Open Directory  Access:   All    
79190    12:32:44 AM    Update.exe:992    DIRECTORY    C:\WINDOWS\system32\1037\    NO SUCH FILE    FileBothDirectoryInformation: *.dmp    
79191    12:32:44 AM    Update.exe:992    CLOSE    C:\WINDOWS\system32\1037\    SUCCESS        
79192    12:32:44 AM    Update.exe:992    OPEN    C:\WINDOWS\system32\1037\    SUCCESS    Options: Open Directory  Access: All    
79193    12:32:44 AM    Update.exe:992    DIRECTORY    C:\WINDOWS\system32\1037\    SUCCESS    FileBothDirectoryInformation: *    
79194    12:32:44 AM    Update.exe:992    DIRECTORY    C:\WINDOWS\system32\1037\    SUCCESS    FileBothDirectoryInformation    
79195    12:32:44 AM    Update.exe:992    DIRECTORY    C:\WINDOWS\system32\1037\    NO MORE FILES    FileBothDirectoryInformation    
79196    12:32:44 AM    Update.exe:992    CLOSE    C:\WINDOWS\system32\1037\    SUCCESS        
79197    12:32:44 AM    Update.exe:992    OPEN    C:\WINDOWS\system32\1041\    SUCCESS    Options: Open Directory  Access: All    
79198    12:32:44 AM    Update.exe:992    DIRECTORY    C:\WINDOWS\system32\1041\    NO SUCH FILE    FileBothDirectoryInformation: *.dmp


A few lines later, this occurs:
80626   12:32:51 AM     Update.exe:992    OPEN    C:\Program Files\    SUCCESS    Options: Open Directory  Access: All    
80626    12:32:51 AM    Update.exe:992    DIRECTORY    C:\Program Files\    NO SUCH FILE    FileBothDirectoryInformation: *.exe    
80627    12:32:51 AM    Update.exe:992    CLOSE    C:\Program Files\    SUCCESS        
80628    12:32:51 AM    Update.exe:992    OPEN    C:\Program Files\    SUCCESS    Options: Open Directory  Access: All    
80629    12:32:51 AM    Update.exe:992    DIRECTORY    C:\Program Files\    NO SUCH FILE    FileBothDirectoryInformation: *.exe    
80630    12:32:51 AM    Update.exe:992    CLOSE    C:\Program Files\    SUCCESS        
80631    12:32:51 AM    Update.exe:992    OPEN    C:\Program Files\    SUCCESS    Options: Open Directory  Access: All    
80632    12:32:51 AM    Update.exe:992    DIRECTORY    C:\Program Files\    NO SUCH FILE    FileBothDirectoryInformation: *.exe    
80633    12:32:51 AM    Update.exe:992    CLOSE    C:\Program Files\    SUCCESS        
80634    12:32:51 AM    Update.exe:992    OPEN    C:\Program Files\    SUCCESS    Options: Open Directory  Access: All    
80635    12:32:51 AM    Update.exe:992    DIRECTORY    C:\Program Files\    SUCCESS    FileBothDirectoryInformation: *    
80636    12:32:51 AM    Update.exe:992    DIRECTORY    C:\Program Files\    SUCCESS    FileBothDirectoryInformation    
80637    12:32:51 AM    Update.exe:992    DIRECTORY    C:\Program Files\    NO MORE FILES    FileBothDirectoryInformation    
80638    12:32:51 AM    Update.exe:992    CLOSE    C:\Program Files\    SUCCESS        
80639    12:32:51 AM    Update.exe:992    OPEN    C:\Program Files\    SUCCESS    Options: Open Directory  Access: All    
80640    12:32:51 AM    Update.exe:992    DIRECTORY    C:\Program Files\    NO SUCH FILE    FileBothDirectoryInformation: *.ppl    
80641    12:32:51 AM    Update.exe:992    CLOSE    C:\Program Files\    SUCCESS        
80642    12:32:51 AM    Update.exe:992    OPEN    C:\Program Files\    SUCCESS    Options: Open Directory  Access: All    
80643    12:32:51 AM    Update.exe:992    DIRECTORY    C:\Program Files\    NO SUCH FILE    FileBothDirectoryInformation: *.exe    
80644    12:32:51 AM    Update.exe:992    CLOSE    C:\Program Files\    SUCCESS        
80645    12:32:51 AM    Update.exe:992    OPEN    C:\Program Files\    SUCCESS    Options: Open Directory  Access: All    
80646    12:32:51 AM    Update.exe:992    DIRECTORY    C:\Program Files\    NO SUCH FILE    FileBothDirectoryInformation: *.exe    
80647    12:32:51 AM    Update.exe:992    CLOSE    C:\Program Files\    SUCCESS        
80648    12:32:51 AM    Update.exe:992    OPEN    C:\Program Files\    SUCCESS    Options: Open Directory  Access: All    
80649    12:32:51 AM    Update.exe:992    DIRECTORY    C:\Program Files\    NO SUCH FILE    FileBothDirectoryInformation: *.exe    
80650    12:32:51 AM    Update.exe:992    CLOSE    C:\Program Files\    SUCCESS        


It only occured in this small burst and only searched the one directory.  However, it occurred right after the last search for the *.dat files. However, none of the searches were directed to my mapped drives or shares.  They were only searching on the local hard drive.

If that wasn't exciting enough, I recorded lots of activity to my mapped drives.  Keep in mind that it did access them easily to put copies there on the initial infection.  Here are some excerpts:

Update.exe:992    OPEN    Z:\ [\192.168.6.130\c$]\    PATH NOT FOUND    Options: Open Directory  Access: All    
80560    12:32:49 AM    Update.exe:992    OPEN    Z:\    SUCCESS    Options: Open Directory  Access: 00000000    
80561    12:32:49 AM    Update.exe:992    CLOSE    Z:\    SUCCESS        
80562    12:32:49 AM    Update.exe:992    OPEN    Z:\ [\192.168.6.130\c$]\    PATH NOT FOUND    Options: Open Directory  Access: All    
80563    12:32:49 AM    Update.exe:992    OPEN    Z:\    SUCCESS    Options: Open Directory  Access: 00000000    

However, the only files that were destroyed were those on the local system.  None of the files on the shares or mapped drives were touched.  I'm not sure why at this point.  I have packet captures during this time from that correlate with access to those drives occuring, but no destruction.  In the search for files, I never saw any searches being conducted via shares and/or mapped drives.  It only occured on the local hard drive.

I again ran the same test from an infected XP box to a clean W2K and repeated the above process.  I still have registry keys being created and traffic to the shares/mapped drives, but no file modification happening.  The results were almost identical.  Remember the registry key above?  It was not pointed at the mapped drive on this test, but rather at the D:\ which is the CDROM.

At this point, I do not believe that the destructive payload will occur via shares and/or mapped drives.  Infected boxes however, will have all their files destroyed if they fall into one of the file types above.  As for the *.ppl and *.exe, I have no good explanation for at this time.  Good luck folks!





0 Comments

Published: 2006-02-02

It is already Feb 3rd!

Ok, in some parts of the world it is already Feb 3rd and some damage is already probably done.
If you know any story related to this event, please share with us .

0 Comments

Published: 2006-02-02

Preparing for Feb 3rd(CME-24)

Preparing for Feb 3rd(CME-24)

We received a lot of suggestions about measures against CME-24. In other words,
how to prepare for Feb 3rd, in despite of the Anti-virus.

What follows bellow is a compiled list of those. Some were tested, but some not.

Update:

Javier Romero sent a link to a Spanish Article regarding CME-24 detection:
"Cómo detectar el virus CME-24 Kamasutra /Nyxgen / MyWife / Blackworm antes del 3 febrero"


- The rule bellow, made by Per Kristian Johnsen with Telenor Security Center,
is said to detect attempts to copy WINZIP_TMP.exe to shares. According to the author,
they are being able to detect infected machines where the already published
snort/sourcefire rule couldn't:

alert tcp any any -> any 135:139 (msg:"Nyxem attempting to copy WINZIP_TMP.exe to shares"; flow:to_server,established; content:"|57 00 49 00 4e 00 5a 00 49 00 50 00 5f 00 54 00 4d 00 50 00 2e 00 65 00 78 00 65|"; reference:url,www.lurhq.com/blackworm.html; classtype:trojan-activity; sid:5000173; rev:1;)

- We had another user that used sms to scan drives files with a size of 95,690 named

%Windir%\Rundll16.exe
%System%\scanregw.exe
%System%\Winzip.exe
%System%\Update.exe
%System%\WINZIP_TMP.EXE
%System%\SAMPLE.ZIP
%System%\New WinZip File.exe
movies.exe
Zipped Files.exe


- A security Dweeb at a large California municipal government agency wrote a batch script that:

"1) looks for the infected file names existence
on %windir% and %sysdir% using simple DIR /B commands. Output is sent to
uniquely named text file (with a non-standard extension). Infected
workstations will show a non-zero file size. Batch file is below; uses
environment vars that are unique to user and computer name.
2) The batch file will be placed in the login script for all
computers.
3) Ensure that verified backups are completed tonight (Wed).

Batch file:
@echo off
dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh
dir  /b %WinDir%\system\Update.exe  >> %username%_%computername%.rgh
dir /b  %WinDir%\system\scanregw.exe  >> %username%_%computername%.rgh
dir  /b %WinDir%\Rundll16.exe  >> %username%_%computername%.rgh
dir  /b %WinDir%\winzip_tmp.exe  >> %username%_%computername%.rgh
dir  /b c:\winzip_tmp.exe  >> %username%_%computername%.rgh
dir  /b %Temp%\word.zip                                        .exe  >>
%username%_%computername%.rgh

Although dangerous, we think we have a very low chance of a problem.
According to LURQ, there are only 15K computers in US that have
contacted the "counter" site. And we have other protections in place
(blocking of all executables in mail attachments, current anti-virus
updates, etc.)"

Update: Another user suggested quotes in the script above, as showed bellow:
dir  /b "%Temp%\word.zip                                        .exe"  >>
%username%_%computername%.rgh

-----------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org )

0 Comments

Published: 2006-02-01

nmap 4.00 released

nmap has got to be one of my favourite and oft used tools.
I am using it as I type this   :)

From nmap-hackers:
Hot on the heels of 3.9999 (you could probably guess this was
coming), I am pleased to announce that Nmap 4.00 is now available!

Documentation: http://www.insecure.org/nmap/docs.html
Download: http://www.insecure.org/nmap/download.html
Release Announcement:
http://www.insecure.org/stf/Nmap-4.00-Release.html

Cheers,
Adrien




0 Comments

Published: 2006-02-01

Cisco VPN 3000 crafted HTTP attack

The Cisco advisory is located at:
 http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_security_advisory09186a00805f0147.shtml

Apparently version 4.7.2(C) resolves this issue.
The workaround is to disable HTTP.

This remote exploit involves sending a small stream (less than 50 packets) of tcp/80 traffic to a Cisco VPN 3000 Concentrator appliance running the WebVPN service. After this occurs, all sessions currently accessing the appliance are dropped, and no further communication is possible until the system is powered down and restarted. No authentication or credentials are required to exercise this vulnerability.

By default, the WebVPN Service permits both tcp/80 (HTTP) and tcp/443 (HTTPS) inbound; the appliance performs a redirect from the HTTP query to the HTTPS. The vulnerability exists within the code base responsible for the redirect.

From: http://www.esentire.com/news/vuln-cisco-vpn.html

Update (06 Feb 2006)
At present, we recommend that all users of firmware that uses Cisco's WebVPN upgrade to the newest version (currently 4.7.2D) AND disable inbound tcp/80 access as a fix for this exploit.
Thanks Eldon!
 
Cheers,
Adrien
 

0 Comments

Published: 2006-02-01

Recommended Block List

Update:
Based on feedback from Intercage customers, we no longer
recommend to block them. Please let us know if you see any problems from 69.50.160.0/19 and we will try to facility contact and a resolution.

Updated Update:

Sunbelt posted this
blog documenting the issues with Intercage. As a comment: We do not say that Intercage is a safe and clean network now. However, they appear to have some valid customers. Please decide for yourself if you need the valid sites badly enough to risk exposure to the malware hosted at Intercage.




I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

The list may be updated later. We do not expect to make this a "regular feature". But at this time we find that it is necessary to point out these particular two netblocks.

They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content.

0 Comments