Once upon a time, eight handlers traveled to a Magic Kingdom, leaving their friends behind to sweep the floors, empty the ashes from the fireplace, and mind the store.  And lo, while their friends did labor long and hard, the eight naughty handlers danced and played among the inhabitants of that Magical place until they began to look and act... well... right at home.  Of course they moaned and complained that their time in the Magical Kingdom wasn't fun at all, but the friends they left behind knew better.



So, if you happen to be attending SANS 2006 and you see either Snow J or any of the dwarves... tell 'em we said "hi." (Note: Sincere apologies to Walt, his heirs, and assigns... Corporate lawyer-types: It's parody.  Lighten up.)

Update #1

We have received an overwhelming number of emails as a result of this diary.  This is to clarify a couple of things.  Yes this professor could have set up its own system for the students to use, yes they could have been instructed that they were to get permission from the owners of the systems first, yes they could have done any number of things to make this a valuable, worthwhile learning experience. That was not done unfortunately.

We have also received several emails asking us to release the name of the institution that this refers to.  We won't do that as we were asked not to in the diary.  It is our policy at the ISC to provide confidentiality when requested.  That is what allows us to cover such controversial subjects as we do.  Yes what is being done by this Institution of Higher Education is incorrect. We are pursuing a satisfactory resolution to this as best we can. We also have not and will not publish the entire document. 

John Bambenek one of our handlers that works at University of Illinois had this to say on the subject:

It's high time that the principles of academic freedom stop providing shields for felonious conduct or eventually the people and the government will take it away all together.

We also have received a number of emails suggesting that we have a legal obligation to report this.  We are aware that this maybe a possibility.  We will assure all of our readers that we will indeed do what is right. We may not talk about what we did but we will do our best to make sure that this type of activity does not continue to go on.  We truly want the Internet to be a safe place for all to work and play. 

Hopefully this will answer some of the questions and concerns that are arising from this article.

Update #2

We have received indications there has been a partial callback of the assignment. We're inviting the professor to contact us directly for any statement and/or clarification he might want to offer.

If he does contact us with a statement we will update the diary again.  Again thanks to all who  did contact us concerning this. Both the good and the bad. We have responded to as many as we could (of course not to the ones that gave us phony email addresses).  We at the ISC appreciate the participation of everyone, whether you agree with us or not. We learn a lot from the pro's and the con's and enjoy the interaction.

We received an email today from a concerned colleague at one of the state colleges in the US. We promised the colleague that we would not reveal name or school so I won't. It is tempting, but I won't. This is an actual assignment. I am not making this up, this IS the real thing.

So here is the story of the assignment from Professor Packetslinger. In a Computer Security class in the Winter of 2006 (which by the way is next year if I remember correctly) the students have been given an assignment. The assignment is worth 15% of the final grade for the class. (So refusing to do the assignment very well could drop a student from an A to a B or worse in the blink of an eye).

The "TASK"

Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.

You got it. This is verbatim. Professor Packetslinger wants the students to conduct illegal activity involving port scanning and vulnerability scanning. He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see.

Hmm – seems to me that Professor Packetslinger wants the students to do all of the background work for him.

Ok so now what must the students submit in writing to Professor Packetslinger?

Let's see what he wants:

What the student must submit

The note to the students:

In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation.

(This tells me that Professor Packetslinger is well aware of the laws and the fact that doing this without express permission and authorization IS against the law in most countries and municipalities. The same laws that the students are being asked to violate).

The student must provide a written report which has the following sections: Executive summary, description of tools and techniques used, dates and times of investigations [AKA break ins, our words], examples of data collected, evaluation data, overall evaluation of the system(s) including vulnerabilities.

Can you believe it? Amazing, simply amazing. One important thing Professor Packetslinger failed to request:

Dates of student's incarceration so that they can be excused from class and not counted absent.

Ok, so the concerned colleague who contacted us about Professor Packetslinger and his assignment went on to explain:

"We've barked this one up our own tree of management. Word came down this morning that no direct action will be taken against the professor, but if we catch any students doing these scans against our computers we will not be exempting them from our existing procedure. Specifically, disabling their student account and referring them to the Student Dean of Corrections."

In other words, we won't discipline Professor Packetslinger, we won't stop the assignment from going forward. As long as the students don't scan our computers, it is ok. If they scan our computers they will be reprimanded and lose their privileges on campus.

This is incredible; this University is encouraging illegal activity. They are encouraging students to do something that is, in the words of fellow Handler Adrien:

Illegal, unethical, immoral.
How about just plain stupid and ignorant.

And handler Swa had this to say:

Doing it is illegal in many parts of the world. But using authority to have somebody else do something illegal is in some places on this world even worse than the act itself and any decent prosecutor should chop the prof in fine pieces over this.

Actually inciting somebody to do something illegal (even if the act isn't performed) might be a case on its own. Now if he fails a student over this, they might have no more reason not to put down an official complaint for being asked to perform illegal acts.

First thing to do: recall the assignment; tell the students they should not even consider it.  Next (public) apologies from the professor are the least. But at the _very_ least don't let him near kids anymore, as an educator he's a miserable failure.

This from our resident comedian Tom:

Spamming for Fun and Profit.

It is hard for me as a security professional to understand the logic of Professor Packetslinger. I have relatives in the fair city in which this prestigious state university resides. I am going to ask them to keep an eye on the local paper and shoot me off articles about the arrests. And I definitely will not recommend this school to my friends and relatives. My sympathy goes out to the students that will be forced into completing this assignment. My sympathy to their families, especially those who are caught and charged with computer crimes. I just hope that the dear professor gets to experience the full impact of his illegal, unethical and immoral acts and he too gets to spend some time behind bars.

How about the school?

As fellow Handler Lorna put it

Wonder how the school would feel about a law suit launched against THEM because of this assignment!

The school is allowing this assignment to go forward. They are as guilty of this crime as the professor and the students. They too need to pay the price and a lawsuit against them would be a small price to pay.

I started to look at the malware and got it unpacked in my faithful debugger when I saw some strings that always peak my interest...those that give you a command shell. I always like those. There was also a URL in the strings, so I fired the malware up in my VM and saw that it indeed wanted to go to that URL. I looked at the source code for the actual URL and found nothing really unique about it. There were two .htm files in that websites directory structure. One we'll call "File.htm" and the other "file2.htm". A regular user gets "file.htm" when they visit the site, but the malware wanted "file2.htm". The only difference between the two files were 8 little characters commented out at the top using html comments "<!--" and --> which seemed interesting.

Well, if it wants a website...give it a website (isn't VM great). I set up a website for my malware using copies of the htm files from the actual site and sent it on its happy way. A packet capture showed the malware going to the website, establishing a connection, getting thefile it wanted, sending an ack for it and then a rst ending the connection. My curiosity was peaked but what exactly was the purpose of it going to that specific site? So when I encounter something new and cool and really need an expert on the code.....what do I normally do.....find my fellow handler Tom Liston and see if he has time to play!

Tom (many thanks to you Tom!) and I spent alot of time looking at this and the mystery is not yet solved as to how it is working in its entirety. But its scary as it currently exists. Not the delivery of it, but the malware itself. The malware gets installed by a user clicking on a link in the email to download a file and then opening that file or by opening the attachment and running it. The .exe installs itself and runs as a service. The malware contacts the site and does a GET, the site passes the page back and looks just like normal web traffic to the casual observer. The malware however parses the first 64 bytes of that page it gets which means it grabs those unique little characters at the top and a little more. Then it uses a delimiter of <!-- for the left side and --> for the right side and pulls the characters out of the middle. It runs them through several commands, but it doesn't appear that the string on the page is the one its looking for right now. Nothing is happening with it at this point. We have theories as to what the malware is doing and we are working to confirm them.

However it doesn't take take much to realize that it is a unique approach and many nasty things could be done. Its really just another sad indicator as to the direction that malware is going and the more difficult our battle is to keep our networks secure.

Love it or hate it, OS X users need to exercise increased vigilance.

Soon, even your beloved little Mac laptop will be spending its spare CPU cycles sending out advertisements for Viagra and Cialis.

The recent news of these vulnerabilities in the OS is getting plenty of attention.  Some would argue that things are being blown out of proportion.  I think there is some lazy journalism, and sensationalism afoot.  Yet, like any FUD-storm there is usually some kernel of truth.  In this case, this kernel is not so small and insignificant.

A quick review of some critical points:

• The OS X Finder issue allows arbitrary execution of code.
• There exists proof-of-concept code that demonstrates this vulnerability.
• There exists easy-to-use tools in the wild to actively exploit this vulnerability.

• The Bluetooth Directory traversal vulnerability (Bugtraq ID 13491) allows an attacker to access arbitrary files on the system.
• There exists malicious code in the wild that exploits this (OSX.Inqtana.A –no CME available)

• OS X has a disparity of controls when it comes to file headers and file icons. 
• This was exploited by OSX.Leap.A

Secure or Easy-to-Use: Pick one.  "Security is a compromise" is a well-known axiom.  In an effort to use as little hype as possible I only suggest that now is the time for Mac users to seriously consider anti-virus, personal firewalls, and safe browsing habits.  It is the time for Mac sysadmins to develop strong patch management policies.  This likely means that a Mac is no longer the no-brainer-choice for what computer to get for your parents.

It would also be simply splendid if Jobs would release his patch clusters on any day other than MS Tuesday.

Today at the day-job we crossed a threshold.  Some would say we took a step backward.  As of today, everyone who sends an email to our abuse@dayjob address will receive an auto-response.  The old days of a human response within 24 hours are now forever-gone at my organization.  The increased load of traffic and the plummeting percentage of messages that actually needed a response have brought us to this decision.

Let there be a Moment of Silence.

Steps to export viruses from the AVG vault for analysis.

DHS wants to improve software security.

It's nice to see that all the spam countermeasures that we deploy actually are effective. How do we know that? Well, spammers are constantly trying to exploit new tricks against various spam detection methods, with more or (usually) less success.

One of the latest "tricks" from their bag consists in sending extremely short e-mails in order to starve the decision matrix of the Bayesian classifier.

The sample e-mail below looks like a desperate move by a spammer in order to evade spam detection.



We can see that in the e-mail body there is only couple of words, but there is a ZIP archive as well. In the archive there is a HTML web page, together with some disclaimers(!!). The HTML web page is the actual spam content (this time being some porn spam advertisement with links to PayPal; they're obviously trying to make some money).

The disclaimer is even more interesting:

  XXX Content Warning
  .............................................

  Please read and comply with the following conditions
  before you continue:
  .............................................

  I am at least
  21 YEARS OF AGE.

And so on. This is probably some kind of legal defense as they are advertising porn web pages.

We've seen two variants of this spam. They are basically similar, but in the other case the ZIP archive is actually password protected and password is listed in the message body. This can cause various e-mail gateways to alerts (as this looks pretty much like a worm).

You grab a line, and I'll grab a pole...

...and we'll go phishin' in the crawphish hole...

http://users.pandora.be/bratax/advisories/b008.html
http://msdn.microsoft.com/library/default.asp?
       url=/library/en-us/htmlhelp/html/vsconhh1start.asp

Tony Carothers
Handler on Duty

We have gotten alot of questions and concerns over the new functionality implemented with Google Desktop.  

More information about it can be found at:  http://desktop.google.com/features.html

The Google Desktop is a tool which users can choose to use or choose not to use it.  They simply offer a service.  By default, the functionality is not turned on.  To search other computers they have to be running Google desktop and have the "Search Across Computers" preference turned on each one of them as well as you have to have the same Google account to access them. 

To download the tool, you have to agree to their "terms and conditions" and their "privacy" policy. If you have questions, Google has a webpage for questions.

GET http://umsky.com/prx.php?p=p1234 HTTP/1.0
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: umsky.com
Connection: Keep-Alive

Only a small set of sources is currently scanning for this port.

Help I have lost data files from my harddrive (due to CME-24 or other reasons).

Windows:

Linux/Unix based tools:

http://www.sleuthkit.org/autopsy/

CDROM based Bootable images

Here is a  good list of forensic's tools.

By default, the WebVPN Service permits both tcp/80 (HTTP) and tcp/443 (HTTPS) inbound; the appliance performs a redirect from the HTTP query to the HTTPS. The vulnerability exists within the code base responsible for the redirect.

From: http://www.esentire.com/news/vuln-cisco-vpn.html