Yellow: WebViewFolderIcon setslice exploit spreading
History
On Friday 29th (and for nearly all of our readers past their working day), we saw the WebViewFolderIcon setslice exploit spreading in the wild. We raise our Infocon to Yellow for 24 hours in order to increase the awareness of the problem and call for action. Without further spectacular evolutions we will go back to to Green after 24 hours. We will remind our readers on Monday. This exploit started in the Month of Browser Bugs on July the 18th as a Denial of Service, however its author released recently a code executing variant of it.
Reason for Yellow
The WebViewFolderIcon setslice exploit is becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.If you have not taken measures yet, please consider some emergency fixes to cover the weekend. The exploit is widely known, easy to recreate, and used on more and more websites. The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove.
Actions
We suggest following actions (do them all: a layered approach will work when one of the measures fails):- Update your antivirus software, make sure your vendor has protection for it (*).
- Install following killbits (**):
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
make sure you set both.
- Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
References
- CVE-2006-3730
- USCERT note 753044
- Microsoft security advisory 926043
- Jesper's blog about setting killbit using group policy (GPO)
- Snort VRT sigs: SID 7985 and SID 7986, available since September 1st.
- JS/Exploit-BO.gen by McAfee
- JS_PLOIT.BC by TrendMicro
- Bloodhound.Exploit.83 by Symantec
- Sept. 30th diary
- Sept. 29th diary with tool to set the killbits
- Sept. 28th diary
(*): It's important to note the difference of your antivirus solutions detecting the exploitation itself (very rare) and detecting the payload of known exploits (common). Only the first will offer real protection against new threats.
(**): There are currently no reports of side effects on other application when stopping this ActiveX control.
--
Swa Frantzen -- Section66
SunJava 1.5.0_09 Released
One of reader shared with us that SunJava 1.5.0_09 has been released. You can get it from:
Java Runtime Environment (JRE) 5.0 Update 9
Release Notes
Test your installation
Update: As of Sun Oct 1 09:00:00 EDT 2006, neither the locally-installed, nor the on-line Java version tester seems to be aware of the 1.5.0_09 update. In one test, the on-line updated reported that 1.5_0_06 is the latest version. Also, Jim Manico reported that in his test, version 1.5_0_08 was reported as being up-to-date as well.
Perhaps the updater only detects major version changes? In this case, we saw no important security reason to rush with the 1.5_0_09 update. However, we hope that the update mechanism will work as advertised when an important security vulnerability needs to be patched.
(Original diary entry by Koon Tan; update by Lenny Zeltser)
0 Comments
*WebViewFolderIcon ActiveX control exploit(s) in the wild
Here is some preliminary info from the folks who got the jump on this at Exploit Prevention Labs.
http://explabs.blogspot.com/2006/09/webviewfoldericon-setslice-exploit-in_30.html
Mitigation:
On the client side "killbits" can be used to unregister the vulnerable control
See http://isc.sans.org/diary.php?storyid=1742 for more details.
On the network side it might be worth considering taking control of hostname lookups on your network through a technique like blackhole-dns: http://www.bleedingsnort.com/blackhole-dns/
The exploit URLs mentioned in the explabs blog have so many IP addresses behind them that blocking by IP or netblock becomes an uphill battle.
Update: I realize this is an incomplete suggestion if the hostname is unknown. However there are legitimate reasons to not release the full URL of easily portable/unpatched exploits. I do think it is still worthwhile for sites to consider reviewing their DNS logs and considering options such as blackhole-dns. In this case you'd just have to blackhole *.biz if the hostname is unknown.
More Info:
Advisory from Microsoft
MoBB #18
OSVDB(27110)
CERT(VU753044)
Updates will be posted here as they become available.
If anyone has information to share please do so via the contact link: http://isc.sans.org/contact.php
and indicate whether the info should be kept private or not.
Update:
The exploit is detected as:
JS/Exploit-BO.gen by McAfee
JS_PLOIT.BC by TrendMicro
Bloodhound.Exploit.83 by Symantec
Background info on malicious ActiveX controls and killbits
0 Comments
Apple updates to 10.4.8 and Security Update 2006-006
Lots of Updates today for Apple:
The entire iLife Suite gets an update.
Plus OSX goes from 10.4.7 to 10.4.8 and Security Update 2006-006 is bundled in too. Lets take a look at whats in the update:
The 10.4.8 Update is recommended for all users and includes general operating system fixes, as well as specific fixes for the following applications and technologies:
- connecting to wireless networks using the EAP-FAST protocol
- Apple USB modem reliability
- using OpenType fonts in Microsoft Word
- compatibility with 3rd party USB hubs
- scanner performance
- RAW camera support
- printing documents with Asian language names
- performance of the Translation widget
- broadband network performance
Security Update 2006-006 says:
CFNetwork
CVE-ID: CVE-2006-4390
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: CFNetwork clients such as Safari may allow unauthenticated SSL sites to appear as authenticated
Flash Player
CVE-ID: CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Playing Flash content may lead to arbitrary code execution
ImageIO
CVE-ID: CVE-2006-4391
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted JPEG2000 image may lead to an application crash or arbitrary code execution
Kernel
CVE-ID: CVE-2006-4392
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Local users may be able to run arbitrary code with raised privileges
LoginWindow
CVE-ID: CVE-2006-4397
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: After an unsuccessful attempt to log in to a network account, Kerberos tickets may be accessible to other local users
CVE-ID: CVE-2006-4393
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Kerberos tickets may be accessible to other local users if Fast User Switching is enabled
CVE-ID: CVE-2006-4394
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Network accounts may be able to bypass loginwindow service access controls
Preferences
CVE-ID: CVE-2006-4387
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: After removing an account's Admin privileges, the account may still manage WebObjects applications
QuickDraw Manager
CVE-ID: CVE-2006-4395
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Opening a malicious PICT image with certain applications may lead to an application crash or arbitrary code execution
SASL
CVE-ID: CVE-2006-1721
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Remote attackers may be able to cause an IMAP server denial of service
WebCore
CVE-ID: CVE-2006-3946
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted web page may lead to arbitrary code execution
Workgroup Manager
CVE-ID: CVE-2006-4399
Available for: Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Accounts in a NetInfo parent that appear to use ShadowHash passwords may still use crypt
Updates we are still waiting on from Apple:
php
SSL/SSH (those just came out, but still)
Read all about the update here.
0 Comments
A Report from the Field
Yesterday morning (9/27) when dropping off my son at school, I told his first grade teacher about the VML exploits and patch availability. She said she had computers at home and would call her husband to make sure they were patched.
When my signifigant-other picked him up around 5:30, the teachers were all talking about how her husband checked and found out they were infected with one of the trojans. Their bank accounts had been drained, by electronic withdrawals and money transfers. Since it had occurred the day before, the bank (unknown) was able to reverse the transfers and replace the money in their accounts. They won't even bounce a check.
After receiving the report, I had a few questions and I received a prompt follow-up. What the thieves did with the money was interesting. Most of the funds were transferred out using one of those services where you can wire cash to people. I'm not sure if these were wired to other accounts using the intermediary, of it people actually walked up to a counter to retrieve the funds. They also used funds in this account to purchase background checks at certain people-search/information-broker companies. Most likely this is an attempt to gather further identities in a way that won't tip-off the broker.
Thanks for the report Kevin, study hard and get good grades next week at SANS Network Security in Las Vegas! Don't poke your eye out with the antenna in SEC617
0 Comments
Openssl patches ASN.1 flaw
You can test what version of Openssl you have by using the following command:
# openssl version
One thing to remember is that many distributions fail to follow the projects patching nomenclature, so refer to the distribution's openssl patch to test for vulnerability.
Mike Poor ekim #@# intelguardians.com
Handler on Duty
0 Comments
OpenSSH 4.4 (and 4.4p1) released
See http://www.openssh.com for more details.
0 Comments
Setslice Killbit Apps
(and really, it was 10 days ago... sheesh, how time flies!)
Anyway, I've got two more for you, this time, setting the killbits on a couple versions of webvw.dll, and (as far as we can tell) shutting off access to the stuff that makes IE vulnerable to the "setslice" issue. Note: we've tested these settings against the Metasploit project's test page, and they work. Because MS hasn't released any information as of yet, we're sortof flying blind here... However, that being said, the killbit method is great, because it is completely reversable.
There are two versions of the app, one a standard Windows program, the other a command-line version.
The standard Windows app will tell you the status of the two killbits (ANDed together, for you programmer-types out there...) and give you the option to change them. (From SET to UN-SET, and vice versa...)
Standard Windows app: WEBVW.DLL_KillBit.exe - 2,560 bytes
MD5: f89b8896ed90f5387a57ed818294fe22
The command-line app will SET the killbits when run with no parameters, and UNSET them when run with any parameter (say "/r"). It will return 0 on success and 1 on failure.
Command line app: WEBVW.DLL_KillBit_cmd.exe - 3,548 bytes
MD5: ebc215850cd06b2de2d8e49428134271
Tom Liston - ISC Handler
Senior Security Consultant - Intelguardians
1 Comments
MSIE: One patched, one pops up again (setslice)
So: No, surfing with MSIE is still not safe.
References
Defenses
- Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder.
- Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites)
- Set the killbit:
{844F4806-E8A8-11d2-9652-00C04FC30871}
[unconfirmed at this point it's the right killbit, so proceed with caution] - Keep antivirus signatures up to date.
- Keep an eye out for a patch from Microsoft.
- ...
Swa Frantzen -- Section 66
0 Comments
Powerpoint, yet another new vulnerability
References
Detection
McAfee has a writeup of the exploit they detected against this vulnerability to connect back to http:// mylostlove1 .6600 .org/[CENSORED] but variants of this will most likely connect to other places.Affected
It seems all supported versions of Office are affected. It's interesting to note that Microsoft also lists the Apple versions of Office as vulnerable.Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs, ...
Defenses
- Do not to open ... but we all know how easy it is to social engineer people into opening things anyway.
- Use the PowerPoint Viewer 2003 (nah, not an option if you have a Mac).
- Filter and/or quarantine powerpoint files in the perimeter (prevent powerpoint email attachments and getting powerpoint files on the web), but it's not easy as it has genuine uses and it has the potential of not needed the ".ppt" file extention.
- Keep antivirus signatures up to date.
- Keep an eye out for a patch from Microsoft.
- ...
--
Swa Frantzen -- Section 66
0 Comments
MS06-049 re-release
0 Comments
* VML Update Released
The update can currently be found on Microsoft Update and is titled
Security Update for Windows XP (KB925486)
This URL should point to the right place: http://go.microsoft.com/fwlink/?LinkID=73174 (not live as of 1:38PM EST)
It is recommended that the patch be applied immediately (after testing) unless a suitable mitigation strategy is in place.
Thanks to everyone that submitted analysis, news, samples, malicious website reports, etc
More info:
http://isc.sans.org/diary.php?storyid=1727
0 Comments
Deja Vu - Request for W32.Pasobir Malware Sample
Thanks!
**snip**
"Periodically checks for both fixed and removable drives starting with drive D: that are attached to the system and copies itself as the following file:
[DRIVE LETTER]:\sxs.exe
Creates the following file containing instructions to start the worm when the drive is attached to the system:
[DRIVE LETTER]:\autorun.inf"
0 Comments
De-registering vgx.dll in an enterprise
=========
The following post is my experience with de-registering vgx.dll in a large, corporate and R&D environment with sites around the globe.
The purpose is to present our actions and findings. I make no promises, guarantees, etc. that this will work for others. So please be sure to do your own testing and risk analysis.
All of that said ... I hope that my point of view helps to possibly aid others in their efforts to find and effective mitigation strategy for this vulnerability.
Since the early whisperings of exploits for the vulnerability, and then 'suggested' work-arounds, de-registration of the vgx.dll has been at the top of our list of possible mitigations.
Starting (very) early on Friday morning, and going through an 11 hour day, our InterOp team tested the affects of the de-registration on as many different system configurations as they could. In the end they found no issues and supported this recommendation for mitigation. Early Friday evening we put our plan in place and commenced with the de-registration of vgx.dll from all of our ~38,000 corporate and ~8,000 R&D systems. By late-evening 1/3 of our targets had the dll de-registered; there were no reported issues with business critical systems and applications, there were calls to the help desks and there were no issues from our R&D folks.
Two and a half days after putting the plan in place 98% of our systems have had the dll de-registered and things remain stable and quiet on all fronts.
There have been some reports of system slow-downs by employees but after investigation there no clear linkages between the actions taken and the symptoms observed. In most cases a simple reboot solved the problem.
We continue to monitor the situation as well as staying in contact with Microsoft to ensure that our environment remains stable and malware free.
=========
Thanks for sharing Eric.
Cheers,
Adrien de Beaupré
Cinnabar Networks/BSSI
0 Comments
VML vuln being actively exploited
A reader wrote in after having seen a VML exploit and reviewing his firewall logs. The following web site URLs are deliberately munged and obfuscated until the site owners respond to emails and phone calls advising them of the problem, do not click on them using any web browser on a Microsoft platform.
The first site is
http:// www .allied(snipped) parts .com
The bottom of tha page contains an iframe which loads:
http:// www .traffl(snipped) .info/out.php?s_id=1
Which goes and gets:
http://www .webmasters(snipped) .com/s_test/test/ vml_sp2_gamer .htm
Which contains the VML exploit. The fun doesn't stop there!
By now this system is thoroughly owned, and more malware follows.
vml_sp2_gamer.html pulls gamer.exe off the same site, which in turn grabs gamer1.exe and counter.exe and also reports successful infection to another URL, raff loads.info. gamer1.exe is a password stealer that is even seen by Clamav: Trojan.Spy.Goldun-141
Many thanks to Daniel and Swa and the other ISC handlers.
Cheers,
Adrien de Beaupré
Cinnabar Networks/BSSI
0 Comments
Using ISA to help block VML exploit
This would be highly recommended measure in a Microsoft centric environment, as one of the defence-in-depth layers of protection, not by itself. Please see the earlier diary entries on the VML vulnerability and its current exploitation here.
Cheers,
Adrien de Beaupré
Cinnabar Networks/BSSI
0 Comments
VML exploits with OS version detection
0 Comments
Netcraft Report - HostGator servers exploited via cPanel, allowing redirection & VML exploitation
"By early Saturday morning, HostGator managers were assuring users that the cause of the redirections had been isolated, and was due to a new exploit targeting cPanel.".
The article details and references a fix that is at the cPanel site.
0 Comments
Mailbag Q&A concerning MS Desktop Search add-on vulnerabilities
Thanks for the question Ricardo, and MS, thanks for the answer!
0 Comments
MSN-Worms exploit MS pif filter vulnerability
"But some of you might remember that Microsoft blocked messages containing ".pif"?
Yes they have, but... the MS block is case sensitive!
So the criminals used capital letters, ".PIF" and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.".
While you're there also check out their excellent Kaspersky Security Bulletin, January - June 2006: Malware Evolution released 09/22.
Thanks for the heads up Kaspersky!
And readers please remember (sticking tongue firmly in cheek) Microsoft says "Microsoft is aware of third party mitigations that attempt to block exploitation of vulnerabilities in Microsoft software. While Microsoft can appreciate the steps these vendors and independent security researchers are taking to provide our customers with mitigations, as a best practice, customers should obtain security updates and guidance from the original software vendor. Microsoft carefully reviews and tests security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. Microsoft cannot provide similar assurance for independent third party security updates or mitigations."
0 Comments
Issues with e-mail notifier
0 Comments
Yellow: MSIE VML exploit spreading
Yellow
The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly.
Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well.
Weekends are moreover popular moments in time for the bad guys to build their botnets.
Actions
We suggest following actions (do them all: a layered approach will work when one of the measures fails):- Update your antivirus software, make sure your vendor has protection for it.
- Unregister the vulnerable dll:
or
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
- Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
Quotes
Ken Dunham from iDefense claims they have seen a significant increase in attacks over the last 24 hours and "[at] least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains". Those domains pointed visitors to a VML exploit. We're happy to note they join us in recommending "implementing a workaround ASAP" and see the upcoming weekend as a factor in it.References
- US-CERT Vulnerability Note
- auscert Vulnerability Note (phishing like technique)
- Microsoft Security Advisory 925568
- Blocking VML using a GPO (use the magic incantations at own risk)
- Snort VRT
- Websense
- McAfee
- Symantec
- Trendmicro
- Panda
- F-secure
- xforce.iss
- Sept. 21st diary
- Sept. 19th diary
Swa Frantzen -- Section66
0 Comments
Zeroday Emergency Response Team (ZERT)
0 Comments
Security Challenges and Games
Speaking of that, I once had an attendee in my SANS class that did great throughout the first five days of class. But, on the last day, he didn't want to play the CtF game that we had been building up to for the whole week. When I asked him why he wouldn't play, he said, "I don't play games." He seemed to imply that games were beneath him. I found that to be very sad... Well-constructed games can help us learn, and have fun at the same time. I build capture the flag game challenges for the neighborhood kids that they play around my house with my own children. These games include computer challenges, audio quizzes, simple ciphers (that an 8-year old can crack), video puzzles, and so on. They are a lot of fun.
So, I'd like to renew my request. Have you seen and actually played any publicly available (i.e., on the web) security/hacking challenges? Please submit only ones that you've played and found useful, interesting, or at least fun.
I'll get the ball rolling by mentioning these, and I'll add to the list as I get recommendations from you all day:
- The Defcon CtF Prequalification Challenges from this year, created by Kenshoto. The folks from 1@stplace, this year's Defcon CtF winning team (congrats, guys... GREAT WORK!), compiled these challenges and posted them on the 'net. Note that the target servers are off-line, but all of the fantastic file-based challenges are available at this site. This set of challenges is really wonderful, especially with the mix of technologies brought to bear, and the different mindsets needed to play in the diverse categories.
- Skillz challenges, hosted at ethicalhacker.net. I write these, along with my buddies Mike Poor and Tom Liston. The latest, Netcat in the Hat, was created by Tom, and you can still enter to win a prize.
- My archive of movie and TV themed challenges (17 in all) on my website.
Reader Aaron mentioned the very nifty project Webgoat from OWASP. I really like this one a lot. It provides a simulated e-commerce application that you download and install on your own machine. Then, you get to attack it, using techniques such as SQL injection, weak session cookies, Cross Site Scripting, etc. It's a _great_ learning tool for people mastering the art of web app penetration testing. Thanks, Aaron!
An anonymous reader points us to www.hackr.org, where several challenges are available at different skill levels.
PJ mentioned http://quiz.ngsec.com and http://pulltheplug.org/wargames. Both are classics in this genre, worthy of your attention.
Reader Peter mentions the www.hackthissite.org, which has a very large collection of hacking challenges and sort-of "real-world" scenarios. Peter cautions, though, "However be warned and stay on the beaten track as you would not want to be firing malicious payload at a 'challenge' site that is redirecting to a .gov site!" That's good advice. Always, always, always double check your targets before firing in any such activities, whether hacker challenges or full-blown professional penetration tests! Also, note that some people may find some of their stuff offensive. You have been warned!
Beau pointed us to a fabulous collection of games and challenges that the Foundstone guys have pulled together here.
Diligent reader Tyler points our our very own Pedro Bueno's malware analysis challenges, which are really fun and well thought-out. Read them here.
Tyler also mentioned the Honeynet Project's scan of the month challenges. Reader Brian points out that one of their very best challenges was the Forensics Challenge. Truly a classic!
Although I was focusing on web-based challenges, several folks have written in with some live challenges that have tickled their fancy at hacker conferences or other venues.
Chris Compton, a great friend and very bright guy, mentions: "While I'd certainly agree with the merits of web-based games, I also think there's something unique that can be learned from the highly charged, collaborative, competitive environment of in-person games. I find I not only get good practice, but I also get to shoulder-surf my way to a better understanding of what some of the best 'competitors' are doing these days, and how they're approaching different problems.
Now, inevitably I'm going to plug Hack-or-Halo at Shmoocon as a good event for all skill levels... but I would also encourage the ISC readership to make an effort to attend and play at any or all of these such events/games."
Well said, Chris. These can be very worthwhile games. A list of a few live, hands-on games was compiled by our reader Ronaldo, who mentions:
"Welcome to the DEF CON 13 WarDriving Contest
http://www.securitytribe.com/dc13wardrive/index.html
The 2005 UCSB International Capture The Flag (Giovanni Vigna)
http://www.cs.ucsb.edu/~vigna/CTF/
HITBSecConf2006 - CAPTURE THE FLAG OVERVIEW & RULES
http://conference.hackinthebox.org/hitbsecconf2006kl/?page_id=61
ToorCon 8 - RootWars
http://www.toorcon.org/2006/rootwars.html"
Ronaldo also mentioned OpenInfreno - An Open Source Root War Engine
http://openinfreno.sourceforge.net. This is a very cool engine on which to build CtF games. Nice work, gents!
Thanks--
--Ed Skoudis
Intelguardians.
0 Comments
Apple updates Airport Drivers
The full advisory notes 3(!) arbitrary code execution issues fixed by this patch. The advisory mentions that there is no known exploit, and does not give credit to anyone for discovering the vulnerability.
I recommend applying the patch ASAP. However, you will only be able to download the full patch "as is". Patches for the individual vulnerabilities are not provided. Interestingly, OS-X update labels the patch a "wireless network reliability fix".
For more background from Brian Krebs, see his latest blog.
0 Comments
Updated MSIE VML Remote Buffer Overflow Exploit Code Released
The site contains a modified version of the code that was originally released on Tuesday that has now been tested on:
- Windows XP SP1 + IE6 SP1
- Windows XP SP0 + IE6
- Windows 2000 SP4 + IE6 SP1
- Windows 2000 SP4 + IE6
0 Comments
2222/tcp Probes
In yesterday's diary Jim showed Dshield data pointing to a drastic increase in probes to tcp port 2222.
Today, the data drops back down to 'normal' levels
We did recieve quite a few e-mails listing applications that use tcp 2222 by default including, Allen-Bradley SLC-505 PLCs, Direct Admin, Ethernet connected Allen Bradley Programmable Logic Controllers, and the pubcookie key server among them.
That port is also a known to be used by a couple of trojans.
We've also received a few packets, and based on what we can see, it is a syn packet that may be crafted. One of the handlers noticed some irregularities in the source port and sequence numbers.
I'll post the packets as soon as I can properly anonymize them to protect the innocent. ;)
We'll keep an eye on this over the next few days.
0 Comments
MS Desktop Search add-on vulnerabilities - Trustworty Computing gone too far
MS's KB "Best practices and security issues to consider when you use FolderShare" is weak, it's only useful recommendation is;
"you can effectively block outgoing traffic to FolderShare. To permanently block the FolderShare satellite from running in a particular environment, block access to the following host name on port TCP/443:
redir1.foldershare.com ".
The folks at NISCC credit "Ben Rexworthy of Securinet UK and white-hats.co.uk for reporting these issues to NISCC".
0 Comments
2222/tcp Probe Increase
Earlier today I detected some probes that caused me to investigate further. My ipf logs on my handy little sparc logged hits on port 2222/tcp. I might have glossed over it, except I have sometimes used port 2222 for secure shell daemon in the past. This was primarily to keep people from constantly hitting my unix boxen trying to brute force passwords and giving me tons of logs to process daily. (Yes, I know that security by obscurity doesn't work, but in this case it was more of a data reduction function for the overworked and underfunded security guy.)
Well in any case, it caught my attention a bit. I investigated a bit further and looked at secure shell logs further to see if everyone else in the world had used the same "bright idea" which I had a few years back causing the hackers to look there as well. Amazingly enough, no logs whatsoever in any of the systems I know are still listening on that port.
After I scratched my head a bit, I went over to the Dshield data and sure enough we are seeing the same type of probing there.Â
As you can see, there has been no substational increase in sources. just records and targets. Further investigation seems to indicate that a single IP is responsible for the majority of the records. But it doesn't clear up what were they trying to find.  Is it the old rootshell left behind by the circa 1999 linux amd exploit? Is it something else?
So with that, "anyone got packets?"  If you have a netcat or ssh listener and have captuered packets, or have other ideas, please contact us.
0 Comments
PDF vulnerabilities
The author claims these are basic vulnerabilities in the pdf api or architecture. The author tested his poc's against Acrobat reader and Adobe professional.
The details are available here.
http://michaeldaw.org/
http://www.eweek.com/article2/0,1895,2016606,00.asp
Here is a quick risk assessment.
How widely deployed is the application?
Adobe reader is widely used and deployed. (9)
Are vendor patches available?
No patches currently available (10)
Is mitigation available and if so how complete is the mitigation?
No mitigation is currently available. (10)
Is user participation required?
Yes. The user first has to download or click the link to a pdf. (5)
So some user interaction takes place.
I have not tested the POCs but several people have and their results do not match. Depending on who tested it you may have to click allow.
See this discussion on who tested the pocs and their results.
http://www.networksecurityarchive.org/html/FullDisclosure/2006-09/msg00252.html
Is the vulnerability cross platform?
Yes. Any exploits will still have to run system dependant malware on the end host but there are plenty of malware binaries that could be used. (8)
Is proof of concepts or exploit code available?
The poc for two of the vulnerabilities are publicly available (10)
Overall risk score 8.7 on a scale of 0 – 10 with 10 being the highests.
This is based on the numbers I assigned.
Your risk might be slightly higher or lower depending on the numbers you would assign and any mitigation factors. In most risk assesments I do I include the value of the system that is vulnerable. In this case that is difficult to do so I have left that out.
0 Comments
0day this, 0day that, I've got the 0day blah's, as does Microsoft Office 2000 PPT
Let me ask. Do I even have to state the following among this readership? Though it may be up to you to educate others.
* Don't open untrusted, unvetted or otherwise unexpected attachments. * Especially not if they were found on a usb stick that was laying on the ground outside your office!
Personally, I have instructed my parents to stop using the internet altogether, since they seem unable to stop browsing strange websites and opening attachments from strange sources. </sarcasm>
Have I mentioned that I'm tired of using terms that have lost their meaning?
0day it to the front, uh-uh-uh
0day it to the back, uh-uh-uh
0day to the right, 0day to the left
0day it up, up all night, uh-uh-uh
Handler on Duty (who solemnly swears NEVER to use the term '0day' ever again)
W
0 Comments
Malware analysts rejoice! A public submission interface for the CWSandox
The CWSandbox has been a somewhat closely held tool in the professional security and AV researcher community for many months now. The CWSandbox results offer near immediate insight into the actions of malicious code execution on win32 based systems which in turn offers you, the affected party some quick intel on what might be happening on your network!
Please be kind and submit samples that you have vetted in some way as malicious. I'm sure this project would not be interested in receiving copies of your %SYSTEM% directory.
You can submit your malicious code samples via the sample web submission form at:
https://luigi.informatik.uni-mannheim.de/submit.php
CWSandbox results containing the sandbox/AV results are emailed to the submitter address.
This sandbox environment currently tracks malicious code variants against only three free/unnamed AV products at the moment. I'm confident that this project would be interested in hearing from commercial AV vendors willing to offer unix based solutions to further their detection effort.
Handler on duty
W
0 Comments
Rant-of-the-day: on the dangers of orphaned software (the dark side of open source)
Anyway, from what I can tell from the FreeBSD and Ubuntu bulletins, these issues can result in gzip (or, I believe more accurately, gunzip/gzip -d) crashing, causing high CPU utilization, and possible code execution from a properly crafted .gz file, so you'll probably want to update your gzip as soon as your favorite distro provides the update.
----------------------------
Jim Clausing, jclausing /at\ isc dot sans dot org
0 Comments
Are you a security pirate?
It has been reported that September 19th is International (talk like a) Pirate Day! Arrr!
If you have any need to don your Security BoFH hat for the remainder of your day to speak with anyone regarding actual significant security matters, I am informing you that you do have the option to do so with a new hook in your voice. Just think of the fun you can have while you speak with the next individual reported to have unleashed a botnet on your internal networks:
"Arrr! Did ya click on that URL sent in IM, Matey!!! Grrr... Now why'd ya go and do that! Now yee'll be walkin' the plank!"
I consider myself to be of the disco bandit pirate variety, and just what kind might you be matey!
W
0 Comments
Yet another MSIE 0-day: VML
This 0-day apears to be different from last week's 0-day abusing daxctle.ocx (BTW: it's still unpatched).
The researchers claim it allows remote code injection (i.e. anything the local user could do).
Since we know of no killbit or other easy solution, your options are limited in mitigating this attack. And with a possible solution far off, looking into alternate browsers isn't the worst way to spend the next half hour.
One of the easaiest ways to make it work might be to use Firefox with a plugin to allow certain sites (such as windowsupdate.com) to transparently use MSIE to get back the ActiveX functionality without bothering the user over the choice and differences. If you do go that road, also add noscript, and a toolbar to block funny sites.
See also the diary on diversity.
There is some posibility to lessen the impact by reducing the rights the user has but it'll only mitigate drive-by shootings at best. The targeted attacker is probably more than happy to get the rights (and access to information) the user has as part of his/her daily tasks.
Thanks to all who sent in a note about this.
Update:
We have recieved requests for additional background information. Today's US-CERT Vulnerability Note provides useful background offering links to the specific vulnerable technology.
--
Swa Frantzen -- Section 66
0 Comments
Log analysis follow up
The one open source tool that was mentioned most often was ossec and frankly, I'm not sure how that one slipped my mind when I did my own list. I started using it a few months ago and really like it. Daniel Cid, the maintainer, pointed out to me that there are quite a few rules for it that can be found at http://www.ossec.net/rules/ and they are updated/added to on a daily basis.
Beyond that, most of the folks who wrote in said that they wrote their own scripts to search/parse/summarize their logs because with experience they've learned what it is they want to look for. I guess this points out one of the problems in the area though. Folks with lots of experience, who have managed their machines/networks for a long time develop a feel for what is normal and what they need to watch for, but how much bad stuff happened on the way to developing all that experience? Also, is their intuition, correct? As I mentioned to fellow handler, Swa, when he wrote up his audit story last month, in some ways, automated summarization/reporting on logs based on experience is a lot like signature-based anti-virus or IDS, you'll catch the known stuff, but may miss the new stuff. That's why it is important to also look at the unusual stuff. Not just, the "top 10" reports, but also the "bottom 10".
I was kind of surprised that few of our readers wrote in about any of the commercial tools out there. I don't know if that is because our readers all are strong believers in open source, or don't have experience with the commercial tools, or if the commercial tools just don't do what they need. I personally have almost no experience with the commercial tools because in most of my paid jobs, there was no budget for log analysis, so we were stuck with open source, stuff I wrote, or doing without.
I'll wrap this up, by pointing you to a report that was released at the SANS Log Analysis Summit after SANSFIRE in DC in July. I was able to attend part of the summit, including the talk by Chris Brenton and Mike Poor where they discussed the Top 5 Essential Log Reports.
-------------------------------
Jim Clausing, jclausing --at-- isc dot sans dot org
0 Comments
Update/Fix for MS06-049
0 Comments
Haxdoor Incident Details at Honeyblog.Org
0 Comments
Citrix Access Gateway Advanced Access Control remote and local vulnerability reported
UPDATE We were notified by Jerry that the FrSIRT links were working as of Saturday evening, September 16. Thanks Jerry.
0 Comments
Multiple vulnerabilities fixed in Firefox, Thunderbird and Seamonkey
Firefox 1.5.0.7 Release notes
Thunderbird 1.5.0.7 Release notes
SeaMonkey 1.0.5 Release notes
Downloads for these updated Mozilla products are at Firefox Thunderbird and SeaMonkey
0 Comments
Snort rule update
Microsoft Security Bulletin MS06-054 Microsoft Publisher
Microsoft Security Bulletin MS06-053 Microsoft Indexing Service
Microsoft Security Bulletin MS06-008 Microsoft Web Client Service (Webdav)
Microsoft Security Bulletin MS06-007 The Microsoft Windows Operating system suffers from a Denial of Service (DoS) condition that is present when handling malformed IGMPv3 data
Also Snort 2.6.0.2 was published today that includes a new DNS preprocessor that will catch:
Microsoft Security Bulletin MS06-041 The Microsoft Windows DNS Client
Get your fresh Snort rule updates here. For complete information about the rule pack, please go here. Finally, to download Snort 2.6.0.2, go here.
Update #1
-------------------------------------------------------------------------------------------
Joel Esler, from 35,000ft in the air, has added a note to this story, and that is...
The above listed rules, available from Sourcefire, are subscription only at this time. After a period of time they will be available to the public, for free.
For Joel Esler,
Tony Carothers
Handler on Duty
0 Comments
Killbit apps for current IE exploit
To make life a little easier, I put together two small apps to set and unset the appropriate "kill bit" to block the actions of the current "daxctle.ocx" IE exploit. They can be found here:
http://handlers.sans.org/tliston/DAXCTLE.OCX_KillBit.exe - Standard Windows executable
(MD5: 599a2e48602f63a5330eea8259216584)
http://handlers.sans.org/tliston/DAXCTLE.OCX_KillBit_cmd.exe - Command line version
(MD5: 571a19cf51f713b81545ebd6a007d792)
The command line version, when run without any parameters, will set the "kill bit". When run with any parameter (i.e. something like "/r"), will remove the "kill bit."
The standard Windows executable, when run, will tell you the current status of the kill bit and offer you the option of changing it.
Hope these help...
--------------------------------------------------------------------------
Tom Liston
ISC Handler
Senior Security Analyst - Intelguardians (http://www.intelguardians.com)
0 Comments
MSIE DirectAnimation ActiveX 0-day update
Timeline:
- Aug 28th: 1st exploit released publicly
- Sept 13th: 2nd exploit released publicly
- Sept 13th: CVE-2006-4777 assigned
- Sept 14th: Microsoft Security Advisory (925444) released
- Use an alternate browser (see also diversity)
- Disable ActiveX scripting in MSIE
- Modify the ACL on daxctle.ocx to remove rights to use it
- Set the KillBit for "{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}"
- Make MSIE prompt before executing ActiveX
With thanks to the readers writing in to remind us.
--
Swa Frantzen -- Section 66
0 Comments
Adaware corrects their false positives
Seems like if you update to the newest detection file, you should be fine. Check out the thread here.
A reader named Jim did write in and tell us about the error, thanks Jim. He told us.. "Following the registry to the executable file reference, I find a MSINET.OCX in the windows system32 directory which was digitally signed by Microsoft in 2000."
As a quick reminder, anyone who wishes to contact the ISC may do so by clicking "Contact" at the bottom right of the page, or clicking on the "Handler of the Day"'s name at the top of the screen.
0 Comments
Get your fresh Firefox updates
Version 1.5.0.7 to be exact. So what's new? Well, Mozilla tells us over here.
MFSA 2006-64 (which, by the way, stands for Mozilla Foundation Security Advisory)
Looks like a memory corruption bug. "Crashes with evidence of memory corruption", Mozilla says, "...we presume that at least some of these could be exploited to run arbitrary code with enough effort." So, lets hope not.
MFSA 2006-62 -- Popup-blocker cross-site scripting (XSS)
More XSS stuff, except this time against the Popup-blocker feature. Mozilla doesn't really view this as a big threat: "The malicious page would first have to get itself framed by the target page, attempt to open a popup, and then convince the user that the popup contents were so important or interesting that it must be opened manually."
MFSA 2006-60 -- RSA Signature Forgery
Looks like Philip Mackenzie and Marius Schilder over at Google found this one.
"Because the set of root Certificate Authorities that ship with Mozilla clients contain some with an exponent of 3 it was possible to make up certificates, such as SSL/TLS and email certificates, that were not detected as invalid. This raised the possibility of the sort of Man-in-the-Middle attacks SSL/TLS was invented to prevent."
Good, I read about this one not too long ago on a couple mailing lists that I lurk on.
MFSA 2006-59 -- Concurrency-related vulnerability
Mozilla has this to say: "We have seen no demonstration that these crashes could be reliably exploited, but they do show evidence of memory corruption so we presume they could be."
MFSA 2006-58 -- Auto-Update compromise through DNS and SSL spoofing
DNS and SSL spoofing vulnerability. Mozilla does offer some good advice on this one:
"Do not accept unverifiable (often self-signed) certificates as valid. If you must, accept them for the session only, never permanently." Rule of thumb.
MFSA 2006-57 -- JavaScript Regular Expression Heap Corruption
"...a regular expression that ends with a backslash inside an unterminated character set (e.g. "[\\") will cause the regular epression engine to read beyond the end of the buffer, possibly leading to a crash."
... and since Thunderbird uses the same browser engine as Firefox, you need to update it too!
Thunderbird update can be found here.
Firefoxes update can be found here.
OR!!! (and better IMO), you can click on Help (in the title bar), and click on "Check for Updates...", and the program will update itself. (At least that's where it is on my Mac)
Happy updating!
(ISC would like to thank Jack, Robert, Juha-Matti, and Brian for emailing us to let us know.. and in case you were wondering, Brian emailed us first. He wins!)
0 Comments
Another 0-Day Exploit - CVE-2006-4777
We have received word that FrSIRT has issued another advisory on a 0-Day Exploit. This vulnerability has CVE ID 2006-4777 and appears to be related to Microsoft Internet Explorer and causes a memory corruption and consequential browser crash. FrSIRT has successfully exploited this vulnerability on a fully patched Windows XP SP2 system.
FrSIRT Advisory for CVE-2006-4777
CVE Advisory
0 Comments
CSO Online E-Crime Survey Results
CSO Online E-Crime Survey Results
The survey results are in and the findings are quite intriguing (at least to me). As a Security Administrator for a smaller company I realize what a task it is to implement any kind of security with a very small budget. It is often difficult to impress on top management the importance of data protection, network protection and getting them to allocate funds for software/hardware to protect the data.
As I reviewed the information in the survey one of the items that jumped out at me, that really caused me to pause and think was the insider breaches that ended in lost revenue/damage. The different ways that the breaches occurred were all very logical and I guess not so surprising. When I looked at the reasons that were given for why legal action was not taken I at first was surprised at the high percentage that said "Lack of evidence". As I began to think about it, began to really think about whether or not we would have enough evidence, I am beginning to rethink my response. Perhaps I need to really look at my ability to provide evidence in the event that an insider breach does occur.
I have to say, this is an outstanding survey and I think an outstanding tool for Security/System Administrators to begin to ask themselves the very important question, "How safe is your data?"
I for one am going to use this as a tool for doing a self evaluation.
I want to thank Karen Fogerty at CSO Online for giving me permission to post a link to the survey in today's diary. Hopefully everyone will take a look at the results of the survey and use it to analyze their own security or lack thereof and the impact that a breach may have on their system.
0 Comments
cisco vtp vulnerabilities
FX reported three vulnerabilities for cisco vtp.
http://www.securityfocus.com/archive/1/445896/30/0/threaded
Cisco responded with this public response.
http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml
VTP passwords mitigate this one somewhat as long as the passwords are not easily guessable or well known.
VTP passwords do not mitigate this vulnerability as this takes place before the vtp password would be used.
This one appears to be a cosmetic issue not a DOS.
Cisco was unable to recreate a DOS condition one in their testing.
If not set to transparent mode the vtp could be vulnerable depending on code level.
"Products affected by these vulnerabilities:
Switches running affected versions of Cisco IOS® software that have VTP Operating Mode as either "server" or "client" are affected by all three vulnerabilities
Switches running affected versions of Cisco CatOS that have VTP Operating Mode as either "server" or "client" are only affected by the "Integer Wrap in VTP revision" vulnerability
Products not affected by these vulnerabilities:
Switches configured with VTP operating mode as "transparent"
Switches running CatOS with VTP Operating Mode as either "server" or "client" are not affected by the "Buffer Overflow in VTP VLAN name" or "VTP Version field DoS" vulnerabilities"
0 Comments
Happy birthday, disk drive
0 Comments
PHP - shared hosters, take note.
PHP's (security) settings are typically controlled from a php.ini file. This allows the system administrator to control settings such as such as safe_mode and open_basedir.
People managing shared hosting machines often control the settings on a more granular level in the apache configuration (httpd.conf) as they can set it there per directory and allow for the different hosted sites to have different settings.
This latter method of limiting scripts can be overcome from inside the scripts themselves. Details are trivially available.
So that leaves:
- Control PHP settings from the php.ini file if possible;
- If you are a shared hosting provider: check the CVS repository, reportedly the needed fixes have been checked in (unconfirmed);
- Cross your fingers and wait for the next release of PHP (the current releases are reportedly affected).
--
Swa Frantzen -- Section 66
0 Comments
Qwest having problems?
The Internet Health Report confirms the outage. Click here.
More to come as we know more.
0 Comments
Adobe Flash player upgrade time
Upgrading to the latest greatest version: 9.0.16.0 is highly recommended.
Apple Mac OS X users as well as Windows users are urged to upgrade. It's important as content vectors are something the dark sides likes to embrace.
CVE-2006-3014
CVE-2006-3311
CVE-2006-3587
CVE-2006-3588
CVE-2006-4640
--
Swa Frantzen -- Section 66
0 Comments
Apple Quicktime 7.1.3 released
So one more item to install on reboot wednesday if you want to wait that long.
And Mac OS X users also have to patch so there is some equality after all.
CVE-2006-4381
CVE-2006-4386
CVE-2006-4382
CVE-2006-4384
CVE-2006-4388
CVE-2006-4389
CVE-2006-4385
--
Swa Frantzen --Section 66
0 Comments
Microsoft Security Bulletin MS06-053
Mitigating Factors:
By default, Internet Information Services (IIS) is not installed on Windows XP or on Windows Server 2003.
On Windows Server 2003, the Indexing Service is not enabled by default.
On Windows Server 2003, even when the Indexing Service is installed, by default it is not accessible from IIS. Manual steps are required to enable IIS to become a Web-based interface for the Indexing Service. By default the Indexing Service is used only to perform local and remote file system queries.
Recommendations: Evaluate urgency based on your installation, and apply the patch.
0 Comments
Microsoft Security Bulletin MS06-052
Affected Systems: Windows XP with Microsoft Message Queuing Services (MSMQ) installed.
Recommendation: Patch Immediatly if you are running MSMQ.
0 Comments
Microsoft security patches for September 2006
# | Affected | Known Problems |
Known Exploits | Microsoft rating | ISC rating | |
---|---|---|---|---|---|---|
clients | servers | |||||
re-released MS06-040 | Server Service CVE-2006-3439 |
Re-released to fix known problems KB921883 |
Multiple botnets actively exploiting this. | Critical |
PATCH NOW |
PATCH NOW |
re-released MS06-042 | Internet Explorer (MSIE) CVE-2006-3280 CVE-2006-3450 CVE-2006-3451 CVE-2006-3637 CVE-2006-3638 CVE-2006-3639 CVE-2006-3640 CVE-2004-1166 CVE-2006-3869 new: CVE-2006-3873 |
Re-released to fix the known problems with MSIE6SP1 KB918899 |
Well known vulnerabilities |
Critical |
PATCH NOW |
Important |
MS06-052 | Reliable Multicast Program (PGM) CVE-2006-3442 |
No reported problems KB919007 |
No known exploits yet |
Important |
Critical | Critical |
MS06-053 | Indexing Service CVE-2006-0032 |
No reported problems KB920685 |
No known exploits yet | Moderate |
Less urgent |
Important |
MS06-054 | Publisher CVE-2006-0001 |
No reported problems KB910729 |
No known exploits yet | Critical |
Critical | Less urgent |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
Swa Frantzen -- Section 66
0 Comments
Microsoft Security Bulletin MS06-054
A remote code execution vulnerability exists in Publisher. An attacker could exploit this vulnerability when Publisher parses a file with a malformed string.
If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Mitigating Factors:An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.
Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.
By default, Publisher is only installed on the Professional Suites of Office.
Recommendation: If you use publisher, patch now, consider limiting user rights for day-to-day use, even for those that need administrative access.
0 Comments
TOR servers seized by police in Germany
0 Comments
Log analysis and marketing decisions don't mix
Sep 10 08:22:07 raz1-fw Sep 10 08:22:07 %PIX-3-313001: Denied ICMP type=8, code=0 from 67.x.y.z on interface outside
Sep 10 23:45:15 raz1-fw Sep 10 23:45:15 %ASA-3-313001: Denied ICMP type=8, code=0 from 64.x.y.z on interface outside
Anyone spot the difference? At least exchanging %PIX against %ASA in all log filtering regexpes is something that can be done with a script on SEC and its Bleedingsnort rules. But if you are using an off the shelf (closed source) log "correlation" product and happen to upgrade your Cisco Firewall, be wary of the peace and quiet that will set in on your alert screen...
0 Comments
Microsoft August 2006 Patches: STATUS
# | Known Problems with this patch |
Known Exploits |
client rating | server rating |
---|---|---|---|---|
MS06-040 | Issue with:
|
Botnets actively exploiting this in the WILD Exploit available in easy to use package
read more... |
PATCH NOW |
PATCH NOW |
MS06-041 | No reported problems |
Critical | Critical | |
MS06-042 | Critical issue:
More info: Issue #1:
Issue #2:
|
Original MS06-42: fixes a.o. a FTP vulnerability that;s well-known since 2004 First revision of the MS06-042 patch's buffer overglow has details public.
|
PATCH NOW |
Important |
MS06-043 | No reported problems | Important | Less urgent | |
MS06-044 | No reported problems | Critical | Critical | |
MS06-045 | No confirmed problems | Critical | Less urgent | |
MS06-046 | No reported problems | Critical | Important | |
MS06-047 | No reported problems | Trojan dropper reported in word document by Symantec, Trendmicro(1) and Trendmicro(2). The dropper loads a backdoor: Trendmicro, Symantec. See also diary. |
Critical | Less urgent |
MS06-048 | No reported problems | Trojan dropper in Powerpoint | Critical | Less urgent |
MS06-049 | Unconfirmed reports about corruption of files on compressed volumes. [Windows 2000 only patch] |
Important |
Less urgent | |
MS06-050 | No reported problems | Critical | Important | |
MS06-051 | Although unconfirmed by Microsoft so far, there seem to be problems related to Terminal Services and multiple users loading certain DLLs as part of some applications. Details and fixes or workarounds are too sketchy so far. See also the problem with .ini files and citrix at the citrix support forum. We're still lookign for a more detailed discription of the problems. |
Critical | Critical |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
0 Comments
Off-Site Backup for Home Users
A few musings about off-site backup for home users and the usefulness of TrueCrypt...
Off-site backup hasn't been an issue for many home users. Perhaps this is because most people haven't assembled enough critical digital data to justify the effort of implementing off-site backup. They haven't even set up an on-site backup scheme. Many home users may never have to deal with off-site backup at all, considering the increasing popularity of free ASP services, such as Gmail, Bloglines, and Shutterfly, which manage data on the customer's behalf.
This is different for data power users, whose livelihood depends on the availability of their information. Freelance photographers, musicians, accountants, writers, programmers, and other professionals who maintain important files at home fall in this category. They have a vested interest in performing off-site backup in some manner, and they often do so.
For the longest time my off-site backup scheme involved burning by data into DVDs once in a while, and taking the disks to a friend's house. This scheme wasn't effective because:
- Backing up my data was too long. It was a manual process and involved too many DVDs.
-
I kept forgetting to go through the backup procedure on regular basis. Maybe I was just too lazy.
-
My off-site data quickly became outdated, because my backups were too infrequent.
-
Network-based off-site backup. This method of backing up data wouldn't require me to fiddle with disks, and lends itself well to automation. The bandwidth to implement this scheme is becoming relatively inexpensive, and off-site data storage costs are decreasing. I didn't choose this method because storage costs were still too high for me, but I think I will want to move to this mechanism in a couple of years. (I'm doing this for my home user persona, so my budget is pretty limited.)
-
Tape-based off-site backup. Tapes have been the traditional off-site backup mechanism for a while in the corporate world, and have been adopted by some data power users at home. I didn't have enough data to justify investing in a tape drive and I just didn't want to deal with tapes. They would allow me to implement a sophisticated backup scheme, but I wanted something simple, which brought me to the next option...
-
External hard drive-based off-site backup. External drives are relatively inexpensive and offer high data storage capacity. The largest disk on the market I came across was 750GB. That was way too much for me, plus I wanted a drive with smaller dimensions, so that it would be easy carry it to my off-site location. A laptop form-factor drive with the 180GB capacity fit the bill, although it was more expensive than its desktop form-factor counterpart. I bought the disk enclosure separately from the disk itself to save a few bucks.
TrueCrypt is an open-source program for encrypting disks. It works on Windows and Unix operating systems. It's free and easy to use. It can run off external media without having to go through the installation process. TrueCrypt allows you to create an encrypted volume, either by storing the volume's contents in a file or in a dedicated partition. I selected the latter option.
I split my disk in two partitions. A small non-encrypted partition contained the TrueCrypt program. I formatted the much larger partition using TrueCrypt, so that it would exist as an encrypted volume:
To mount the encrypted volume, use TrueCrypt to select the desired partition and assign the mount point or the drive letter to it. TrueCrypt will prompt you for the password you established when creating the volume:
Once the encrypted volume is mounted, it will be available as a local disk, so you can use any backup or file-copying utilities to populate the partition with data.
Update: In addition to supporting password-only operations, TrueCrypt also allows the user to specify and optionally generate one or more key files. Without the key file, the encrypted volume would be inaccessible. The idea is that the key file would be stored away from the encrypted volume, so that the authorized user needs to present something he knows (the password) and something he has (the key file):
If you'd like to learn more about TrueCrypt, take a look at its documentation and at a December 2005 thread on the Dshield mailing list titled "Requiring a key-pair to mount a volume." There are also a few user testimonies in the comments at Bruce Schneier's blog.
-- Lenny
Lenny Zeltser
ISC Handler on Duty
www.zeltser.com
0 Comments
Early Discussions of Computer Security in the Media
What's the earliest computer security incident reported in the general media? I was curious.
Now that Google's News Archives Search includes 200 years worth of publications, it's easy to search printed records without having to go to the library and sift through micro films. The archive doesn't include all media records, but I think it is a good indication of the general state of the media's coverage of computer security.
I performed a search for articles that match "computer" and "security" and examined the results. Here are the earliest incidents I came across:
- The earliest computer-aided fraud: National City Bank of Minneapolis, 1966
- The earliest external intrusion: Federal Energy Administration, 1977
- The earliest large-scale identity theft breach: TRW Inc., June 1984
Minneapolis Programmer Milo Arthur Bennett, whose firm handled computer work for the National City Bank of Minneapolis, programmed the computer in 1966 to ignore an overdraft in his own account at the bank.This article highlighted the increasing profitability of computer crimes. It explained that a "handful of keypunch crooks have already thought of some ingenious ways to defraud the Brain, with varying results." The text also mentioned the following incident, which was motivated by the desire to use someone else's computer for monetary gain.
Palo Alto Programmer Hugh Jeffrey Ward learned, from customers of a computer firm in Oakland, code numbers that enabled him to give orders to the firm's computer. ... He told the Oakland computer to print out a program for plotting complex aerospace data in graph form. ... His company presumably planned to market the program, which was valued at $12,000 or more, to the Oakland firm's own customers. ...Five years later, in August 1977, the Time Magazine published an article that included the earliest mention of an external computer intrusions I could find:
The conviction of one man, accused of stealing confidential information from a Federal Energy Administration computer in Maryland, was possible only because the thief had dialed into a system from his office a few miles away in Virginia.Another intrusion mentioned in the article occurred at an identified company and involved brute-force password guessing. The article also mentioned the challenge of striking the right balance between security and usability:
One computer, protected by a five-digit code number, was illegally entered in minutes when the thief ordered the computer to begin trying every one of the 100,000 possible combinations. But tighter security would cost both money and time. Says Robert Courtney of I.B.M. "If you're running thousands of transactions a day, you don't want to spend ten seconds or so every time arguing with the computer about who you are."After a multi-year gap, the next computer security mention I found dates to 1981. A June 1981 article in the New York Times describes how an employee misused a computer to set up a race-track betting system:
His activities were uncovered by the school board's auditor general, who turned the case over to a specialist in computer security for the city's Department ... The arrested programmer 'was described by a New York City investigator as ''a good employee"' ... [Note: This article excerpt was indexed by Google.]Two years later, in August 1983, an external intrusion caught the public's eye in a way that it hasn't earlier. Multiple media articles described a computer security break-in to the Los Alamos National Laboratory. The intruders were youths, apparently inspired by the War Games movie. Here are a few excerpts from the articles that discussed this incident:
The apparent electronic penetration of an unclassified computer in a nuclear weapons laboratory by a group of young people was not a threat to national security, telecommunication experts said today. But they said the incident illustrated the extraordinary difficulty of guaranteeing the security of any information ...This incident was a big deal because it demonstrated the importance of computer security to the general public. The sentiment is expressed by an August 1983 article in the New York Times:
"There's no security in it or nothing. ... Los Alamos has a computer connected to TELENET, a computer communications network" ...
Officials at the Los Alamos National Laboratory in Los Alamos, N.M., said no classified data had been uncovered by the computer users, who reached a lab computer by telephone from Milwaukee. ...
The Security Pacific National Bank of Los Angeles computer also was entered, apparently by the same young people, but no one's account was affected ...
Corporate executives and telecommunications experts said yesterday that the recent breach of computer security at the Los Alamos National Laboratory in New Mexico had renewed fears about entrusting proprietary information to data networks that are easily accessible by telephone. ...Such factors highlighted the need for commercial computer security products. About a month after the Los Alamos incident, a September 1983 article in the Miami Herald described Datacryptor, which sounds like the first commercial VPN product I came across:
Most companies are reluctant to discuss their computer security systems, or even acknowledge the extent to which they are dependent on computer systems ... [Note: This article excerpt was indexed by Google.]
Racal-Milgo, a Miami computer company, thinks its $2,000 black box may be just the answer for businesses worried about computer crime. The Datacryptor, as the device is known, is an electronic scrambler that turns sensitive computer talk into undecipherable gibberish. But even the Datacryptor isn't immune to computer crime.A New York Times article, published the same month, noted that "the market for computer security software is booming," according to the article excerpt indexed by Google.
Another article, dated to October 1983 and published by the New York Times, introduced the readers to the role of a computer security specialist. The article was titled "New Breed of Workers: Computer Watchdogs" and contained the following description:
Processing manager for a major corporation suddenly notices unusual levels of activity on his company's computer. He investigates, and discovers that the system has been tampered with over telephone lines. Corporate panic follows as company officials try to determine what was disclosed, what was damaged and how vulnerable their ...If you're wondering when the first identity theft-related breach caught the media's eye, look no further than June 1984. A security breach at credit-reporting agency led to the disclosure of a password used to protect credit reports. Here are a few excerpts from the articles that described the incident:
A password that could permit access to the credit histories of 90 million people was stolen and posted on an electronic bulletin board, TRW Information Systems said yesterday. ...
Through the theft of a code, the credit ratings of the 90 million people tracked by TRW Inc. were used by credit-card thieves armed with home computers, offering the potential to cash in on other people's credit, company officials said yesterday. "We found out about that code a couple weeks ago, and the code is no longer valid," said Geri Schanz of TRW's Information Services Division ...
Computer raiders used a stolen access code to tap into the files of the nation's largest credit rating bureau for more than a year but company officials say the "hackers" could not have altered the records. TRW Information Services, whose computers hold credit ratings and other records on 90 million people, said yesterday the raiders could have used information from the files to fraudulently obtain credit cards.
The subsequent years lead to a surge in computer use, the emergence of the Internet, and the shaping of the computer security landscape as we know it today.
-- Lenny
Lenny Zeltser
ISC Handler on Duty
www.zeltser.com
0 Comments
A few preliminary log analysis thoughts
Resources
The log analysis mailing list - http://lists.shmoo.com/mailman/listinfo/loganalysisThe log analysis web site created by Marcus Ranum and Tina Bird - http://www.loganalysis.org/
SEC (Simple Event Correlator), which I once described to SANS instructor David Hoelzer as "swatch on steroids" - http://kodu.neti.ee/~risto/sec/ and the SEC rules being collected by the Bleeding Snort project at http://www.bleedingsnort.com/sec/ (thanx to Matt Jonkman for reminding me of this).
Marcus Ranum's nbs tool - http://www.ranum.com/security/computer_security/code/nbs.tar
Logwatch - http://www.logwatch.org
As promised, I'll share our reader's suggestions sometime next week.
--------------------------
Jim Clausing, jclausing --at-- isc dot sans dot org
0 Comments
New feature at isc.sans.org
--------------------------
Jim Clausing, handler on duty
0 Comments
Log Analysis tips?
-------------------------
Jim Clausing, handler on duty
0 Comments
Is someone watching your internet traffic or telephone calls?
It is an interesting read.
However given the options to hide the path your packets take that are available to most ISPs today I would be surprised if they would make this monitoring so noticeable. Simply tracerouting to see if you packets go through sffca.ip.att.net is too simple of a detection method.
For more details see the link.
The Newbie's Guide to Detecting the NSA
http://radar.oreilly.com/archives/2006/06/the_newbies_guide_to_detecting.html
0 Comments
AOL ICQ vulnerabilities
One for ICQ tool bar for IE and another for AOL's ICQ client.
Since Core Security states they used a fuzzier to discover these issues
I suspect there will be other ICQ vulnerabilities discovered and announced by them in the future.
"Advisory ID: CORE-2006-0322
Multiple vulnerabilities in ICQ Toolbar 1.3 for Internet Explorer
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1510
Security problems found in the ICQ Toolbar v1.3 may allow attackers to
control and change configuration settings and to inject scripting code
in RSS feed contents and execute it in the contexts of the feed
interface (IE's Local Zone)
Vulnerable Packages:
The following AOL/ICQ software products are affected by these issues:
Remote configuration vulnerability
ICQ Toolbar 1.3 for Internet Explorer
Malicious RSS feed vulnerability
ICQ Toolbar 1.3 for Internet Explorer
ICQ Search Plugin for Mozilla / Firefox is reported as not being vulnerable.
Advisory ID: CORE-2006-0321
AOL ICQ Pro 2003b heap overflow vulnerability
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1509
A vulnerability in AOL's ICQ Pro 2003b instant messenger client could
lead to denial of service attacks and remote compromise of systems
running vulnerable versions of the client.
Vulnerable Packages:
The following AOL/ICQ software products are affected by this issue:
ICQ Pro 2003b Build #3916 and previous.
Non-vulnerable Packages:
ICQ 5.1 and ICQ2Go!
AOL and ICQ recommend that users upgrade to the latest version of the
ICQ client: ICQ 5.1"
0 Comments
Microsoft's September Updates
Well here they are:
Two Microsoft Security Bulletins (MSB) affecting Microsoft Windows. The Highest Severity rating for these is "Important".
One MSB for Microsoft Office. The Highest Severity rating for this one is "Critical". (So let's hope is the new '0-day' in Word.)
They will also update their Software Removal Tool, nothing new there.
Also will be releasing Two NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
and finally they will release three NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
So overall, it looks like 9 updates, three of which are security related and are "Imporant" or higher. Looks like a light month. But still a nationwide reboot.
Read more about it from Microsoft here.
0 Comments
Quick plug: Netcat in the Hat
0 Comments
DUNZIP32.dll Buffer Overflow
Many other software packages using old versions of DUNZIP32.dll are affected by this exploit.
0 Comments
Internet Systems Consortium BIND Denial of Service Vulnerabilities
SIG Query Processing (CVE-2006-4095):
1) An assertion error within the processing of SIG queries can be exploited to crash either a recursive server when more than one SIG(covered) Resource Record set (RRset) is returned or an authoritative server serving a RFC 2535 DNSSEC zone where there are multiple SIG(covered) RRsets.
Excessive Recursive Queries INSIST failure (CVE-2006-4096):
2) An error within the handling of multiple recursive queries can be exploited to trigger an INSIST failure by causing the response to the query to arrive after all clients looking for the response have left the recursion queue.
So ensure you are patched to the current version: BIND 9.3.3rc2, BIND 9.3.2-P1, BIND 9.2.7rc1, or BIND 9.2.6-P1.
Updates are available here.
As of this time we have not received any information on an exploit for either vulnerability.
0 Comments
Updated Packet Attack flash animation
The animation shows a geographical representation of all reports received during the last 5 minutes.
(Thanks to Morgan Grant for helping with the update!)
0 Comments
The Sleuth Kit (TSK) for Windows released
TSK has been finally released as Windows binaries, so you don't have to compile them manually anymore. You can download the tool kit from http://www.sleuthkit.org/sleuthkit/download.php.
Thanks to Edi for sending us a note about TSK.
0 Comments
More about the host based firewall on Windows XP SP2
We received some valuable submissions about this, so it's time to share them with everyone.
One of our readers also asked why I didn't write about any other (commercial or free) third party host based firewall. While other products indeed exist, and typically have more features than the host based firewall provided with Windows XP (which, as I noted in the first diary, lacks in several things), the idea of the original diary was to give you more information about a firewall that is already available. I've found that the integrated host based firewall in Windows XP is usually underestimated (or turned off because it became a problem) in corporate environments.
Now, let's see how our readers use this firewall. Iain Taylor described how he uses GPOs to manage the host based firewall on workstations which have to share printers. Iain uses WMI filtering in GPOs, which allows him some pretty cool deployments (his WMI kung-fu was obviously on a reasonable level).
Here's Iain's e-mail:
One common requirement on business networks is printer sharing from workstations.
Unfortunately the ports used are ones that would normally be closed on all workstations as they are also used for file sharing and are a very common target of attack by all forms of crudware..
To maintain as much protection as possible, we only want to open those ports on a targeted subset of machines - i.e. those that actually both have a printer attached AND share it. To achive this we have used a conditional group policy to open File & Printer sharing ports on the machines which are sharing printers.
Putting those machines into different OUs and applying a specialised GPO with the relaxed firewall settings to them would be one solution, however keeping track of which machines require this behaviour can be challenging. Instead, we use a slighly less-well known feature of GPOs - WMI filtering. This allows the clients to execute a WMI query before deciding to activate a GPO applied to them or not. Now the firewall rules can be 'intelligently' applied, only being relaxed if the Workstation requires the feature, whilst remaining locked-down otherwise.
To achive this there are two firewall rules GPOs. One is the default (restricted) configuration, applied to all systems without filtering. The other, applied afterwards has the WMI query attached to it and contains the same settings, except for the File and Printer sharing ports being permitted. The query itself works as follows...
select * from Win32_Printer where Local = TRUE and Shared = TRUE
Using the windows built-in 'root\CIMv2' namespace the WMI query first finds whether
the machine has a local printer & then checks whether it is shared. If both are true, then the client will apply the GPO, opening the ports. Otherwise the query returns false, the Policy is not applied & the more restrictive default policy is in play.
Ray also wrote to remind us of a nice tool that Microsoft provides: Port Reporter. This tool installs as a service and logs all TCP and UDP port activity. When used with the Port Reporter Parser tool, it provides a very nice source of information about processes that used any ports on the machine.
You can find more information about Port Reporter at http://support.microsoft.com/?id=837243.
0 Comments
Reports of Bots exploiting pmwiki and tikiwiki
We have received some anonymous reports of Botnets being created out of vulnerabilities found in Pmwiki and Tikiwiki software.
The Tikiwiki exploit is hitting versions that are <= 1.9, and the Pmwiki exploit is hitting version <= 2.1.19. Both exploits were written and discovered by the same person, and both exploits have been worked into auto spreading bots.
The Pmwiki exploit can only be exploited if you have "Register_globals" turned to "On" in your php installation. However, the Tikiwiki exploit can be exploited regardless of this setting.
We have no info on where these bots are attempting to connect to, yet. However, we are seeing them in the wild.
Tikiwiki has published information on how to temporarily patch your systems to make them invulnerable: Click here for that info. From reading this webpage, it also appears that Tikiwiki is working on a permanent patch.
At the time of this posting Pmwiki had no temporary fixes or patches posted to their website. So ensure that you turn "Register_globals" to off, and restart Apache.
So, if you are running either one of these two pieces of software, please, make sure you are fixed or patched up!
0 Comments
Browzar, the privacy that may not be
Browzar has received a lot of recent attention on mailing lists like Full-Disclosure, claiming the 'Browzar' leaves the last visited url in a file in the user's LocalSettings directory. As well as items like cache misses, redirected urls, and click through urls are left on the machine.
Now of course, your ISP can still track you, netflows, IDS's on your network, and pieces of software that may be on your corporate network like Websense can still find where you go. Let alone if Browzar leaves anything behind on your host system.
We've looked at other programs like VMware's many free Virtual Browsing appliances or even Sandboxie, which runs programs inside of a virtual 'sandbox'. Apparently leaving no traces behind on the local machine.
So for you privacy guys.. put your tin foil beenie on, and browse away.
0 Comments
Bots looking for FlashChat App
Tracking it, I was able to get into their botnet, on xx.xx.207.12, running on port 7001.
The default channel found on the perl code was #botnet , and was active at the time of this diary was written. The default command to list channels on IRC is /list.
Besides some dangerous of running commands on customized ircd servers, I run it and found another channel, called #scan .
Finally the FlashChat part...:) On the subject of the #scan channel, there was an instruction to scan on google for sites using FlashChat, ONLY on .co.uk domains!
So, my final instructions to you are:
1- If you run FlashChat, check for patches, security patches, APPLY THEM!
2- If you run FlashChat AND on a .co.uk,.uk, APPLY ANY PATCHES AVAILABLE IMMEDIATELY. Additionally, you might want to look through your system for signs of intrustion.
----------------------------------------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org )
0 Comments
Trojan.Mdropper.Q / Email Attachment Practices
0 Comments
Media sanitization NIST website
0 Comments
UDP Port 47290
In reviewing recent DShield graphs I noticed a sharp and large increase in UDP port 47290 traffic. A quick review of Google and a few other resources left me with no logical conclusion as to the source.
I send this diary out as a call for packets or for any information that might lead to understanding where this traffic uptick comes from. Since this traffic started on 8/28/06, it is interesting to note that the number of reported packets is 226,660 records. The numbers of sources for this traffic is 134,673. The number of targets is 43. So it's possible we are looking at traffic reported from just one subscriber who sends logs into DShield. Nonetheless, this is a rather interesting and sudden increase and it would be useful to know where this is coming from.
Update: We looked further into this and discovered that 99.99% of this traffic is destined for a single target. This makes the call for packets a fairly moot point.
0 Comments
Media sanitization
This is a signficant change in stance from the often quoted U.S. Department of Defense 5220.22-M disk erasing standard that suggests a minimum of 3 overwrites and a verify is necesarry to properly sanitize data. Now before rushing out and changing all of your purging applications to single pass only, please notice the quoted paragraph from the NIST article is fairly specific about a type of hard drive, size and manufacture date. Nonetheless, this points to what we will hopefully see as a trend as time passes that it will hopefully require less passes to properly sanitize our media.
As a related issue, let's talk a moment about the last time your media sanitization policies were updated. Do they take into account media sources other than hard drives? It is becoming increasingly more difficult to contain and identify all sources where data is stored, but a thorough security program should consider all of these devices in their protection and sanitization routines. Examples of often overlooked devices include cell phones, PDAs, USB thumb drives and digital cameras. Appendix A of the NIST article mentioned above provides a fairly good list of places where data is stored along with the recommended action for sanitizing or destroying them.
Related to the topic of considering other places where sensitive data is stored electronically, reader Cornelius from Australia offers this recent article from The Sydney Morning Herald: http://www.smh.com.au/news/phones--pdas/secrets-spill-from-secondhand-mobiles/2006/08/31/1156817011704.html
0 Comments
Another IE Exploit makes the rounds...
So, we've said it before, and we'll say it again. Yes, sometimes it's not practical to switch off of IE, but where you can... do. Diversify I say! Even though Mac users aren't affected, use your Safari, Firefox, Opera...
Windows users.. check out Firefox, Opera, and whatever other nice browsers you can throw out there. (I'm a Mac/*nix/*bsd user, so I am not familiar with all the Windows offerings) IE is riddled with countless holes and bugs, so, try and use something else.
Reader Ottmar followed up on this article with a suggestion for folks that just can't follow the advise above and want to try and make the best of the situation with using IE. With respect to this specific issue and other ActiveX based vulnerabilities in IE, the following Microsoft article explains how to modify the registry to kill ActiveX controls from running. Since this does involve modifying the registry, user beware! Without further ado, the Microsoft article can be found here.
----------------
Joel Esler
jesler{at}isc.sans.org
0 Comments
CA eTrust Antivirus [was] flagging lsass.e x e
"Some Win2k3 servers have been failing and unable to re-boot, since the service (exe) was removed by the virus software.
CA has released an update to VET (30.3.3056) that seems to have corrected the problem, but in some cases the damage has already been done."
It seems that CA accidentally flagged Lsass.e x e as a bad file. Reminiscent of the McAfee .xls debacle of not too long ago.
0 Comments
Cogent having problems...
One of our readers, Colin, called into the data center: "I called their support staff and got through to a guy who described the situation as a network problem 'affecting all traffic in their data center'."
More on this situation if more develops...
0 Comments
Fred Flintstone, we'd like to help...
We have an ISC reader who has submitted some great logs, asking for analysis, unsure of what is really going on, who calls (him|her)self 'Fred Flintstone'. Which is fine. We don't mind anonymity. However, when Fred doesn't leave an email address, and asks us to contact him with any help we can provide, we can't do it.
So, that being said. Fred, if you are out there... email us and provide us your email, we'll promise we'll not tell Mr. Slate.
Update
Thank you Fred for writing in and giving us your email address so that we can respond.----------------
Joel Esler
jesler{at}isc.sans.org
0 Comments
Out Share! Now it's up to you.
We had a bunch of Tip of the Day diary entries. It was fun. And looking back on the responses so far our readers liked it. But let's go back to the beginning, and read the goal of it all once again. In one sentence:
So no, this is not the end of the tips. However it's up to you now. We will collect your tips and post them on slower days to share with all other readers.
We have an overview of all "Tips of the Day" published in August. Enjoy!
To submit your tips to success, use the contact page.
0 Comments
MS06-040 Worm
Well, guess what. One of loyal readers out there on the 'Information SuperHighway', Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it). It appears, in typical antivirus fashion to be named several things: McAfee is calling it "W32/SDbot.worm!MS06-040", Sophos is calling it, "W32/Vanebot-A", and Symantec is calling it, "W32.Randex.GEL". (Yes, it's been out for a couple days)
Let's take a look at this bad boy shall we? How does it spread.. well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.
This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it's about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to "forum.ednet.es" over port 4915. (Until the next variant changes it, and we know it will). It has the ability to do a bunch of things including spreading to network shares..
Prevention, as always, (and it should have been done for years now), block 139 and 445 at the router/firewall. Netbios traffic shouldn't be allowed to exit or enter your network from egress points anyway.
Update your antivirus. At least daily.
Patch. You know the deal by now.
Now, since cleaning botnets, is.. pretty much impossible, prevention is the key. If you DO get hit with a botnet infection running throughout your network, my general recommendation is.. rebuild the box. Now, I know that sounds drastic to some of you, but it gets rid of the worm, gets rid of the botnet, and plus you have a brand new box! So, maintain those images, keep your antivirus up to date, patch your boxes, and make sure your IDS/IPS is up to date.
Cory, one of our ever vigilant readers, notified us that the link to 06-040 was incorrect. Thanks Cory. It has been fixed.
0 Comments
Tip of the Day: Audit
Audits might sound scary as they verify your work, but they really should not. They can be a great tool into doing the right thing and catching (and correcting) errors before they escalate and become a problem. As a matter of fact, you can audit your own work. Or do it in a team. We all know we cannot find errors in stuff we wrote ourselves while it's obvious if somebody else wrote it.
Audit yourself/co-worker
You can do various audits yourself of your work:- Are backups actually able to be read?
- Can we actually restore a backup from a system if we loose all the harddisks or are we missing information?
- Are the dates/sizes of system files on all our computers still the same (poor man HIDS, but it can also detect failed patches etc.)
- Do logs from all our systems actually end up in our central log repository?
- Did managment acknowledge all incident reports you gave them? Where there changes implemented due to the incidents?
- Do we have blocklists? Do we update them regularly? Did we check if they are still relevant?
- Exposed scripts (such as e.g. cgi-bin perl scritps)? Who reviewed them for security? Where they changed afterwards?
- Is everything you do documented, can co-workers understand it and take over your tasks?
- ...
Internal Audits
Internal audits can go further:- Are all our users in our user database(s) still rightfully there? Does the list match with what e.g. HR has as list of employees/contractors? Are the other users interactively used? Are they regularly re-confirmed as needed users? Do we have users that never log in?
- Can we actually start a Disaster Recovery without touching the existing equipment and information?
- Do people inside the company know where to find security policies? Do they know key content of the policies? When were they last reminded of the password policy? Are all our policies easy to read? Are all our policies short enough to be read in under 5 minutes?
- Is equipement we rely on for being warned about problems (availability, IDS, logs, ...) actually tested regularly? How are we sure?
- Are policies overruled? Why? By who? How often? Was it investigated? Did the policy change afterwards to fix the problem?
- Where are incidents logged? What were the conclusions? Do people know incidents that were not logged?
- If you need to find more cool audit ideas, check ISO27001 (or ISO17799) it has a bunch of ideas that you can test to see if you have it or not. Without a policy or guideline to get it, this isn't a real audit check as in must have, but it's always good to look for some extra credit to go beyond the minimum what is implied by the policies.
- Is the inventory complete? Are network diagrams up to date?
- Is every thing labeled? Do machines with possibly confusing port have labels added to identify the ports? Are cables labeled on both ends with both sides of that they connect?
- Are logbooks used and filled out? Or are they fileld out just before the audit?
- ...
External Audits
Well external audits generally should check the same stuff as the Internal audits do, but be independent. Sill they are valuable as they can give you the ultimate magic bullet: management support.Typically this starts with regulatory and legal requirements, but it can check compliance with standards as well.
- Can grant a seal of approval.
- These audits can also audit those persons that are very hard to audit as an employee: the big chief: does (s)he feel the policies do not apply to him/herself?
- ...
- First of all: logs are huge. You do not want them to schrink in size.
- Computers are pretty good at finding things in large amounts of data - if you can tell them what to look for.
- The "what to look for" however is lacking in the "review logs" assignment
As soon as you know what to look for, you can automate it in less time than you do it manually once.
So that leaves?
- Create logs, the more the better, they might be the only trace you have of an incident.
- Do NOT review it manually, it is pointless.
- Automatically look through them
- for known problems (you learn them from past incidents).
- for never seen before entries using e.g. Marcus Ranum's nbs (never before seen) script/db so when something absolutely new occurred you get a chance to consider it interesting enough to treat as an incident or not.
- Keep them for the right amount of time
- Look through them for evidence and further understanding once you have an incident to deal with.
--
Swa Frantzen -- Section 66
0 Comments
0 Comments