Diaries

Published: 2007-01-31

Solaris 10 ICMP induced panic

For those of you who remember the Ping of Death issues, there's a recent twist to the story.

Sun has released patches for Solaris 10. It fixes an issue where a single ICMP packet could panic a host. Sun did not make available details on the required ICMP packets.

--
Swa Frantzen -- net2s.com

0 Comments

Published: 2007-01-31

Day Light Savings Change for 2007

First of all I have to ask... How many people know about the upcoming change to Daylight Savings Time this year?  How many are aware that it starts earlier this year and ends later?  It is amazing to me that when you start talking about this subject a lot of folks say change... what change? 

For those of you that don't know there is a change in the start and end dates for Daylight Savings Time this year.  It will start on Sunday, March 11th, 2007 at 2:00am and will end on Sunday, November 4th, 2007.  So for 2007 DST starts 3 weeks earlier on the second Sunday of March and ends a week later on the first Sunday of November.  This change was made as attempt to reduce energy consumption. 

So what needs to happen this year to facilitate the change in DST and what will the impact be. 

Yesterday it suddenly dawned on me that this change was about 5 weeks away.  I started doing some research on how it will affect my company and what we would need to do to our PC's, servers and equipment.  Let's just say, I should have thought of this earlier. (But I am still one step ahead of those of you that don't realize the change is set to happen). 

Here is what I found out.

First of all things like VCR's, DVD's, DVR's, may have some problems.  They won't realize that the time change takes place 3 weeks earlier so that show that you thought you were recording may not record at all. (Now in the case of 24 that would be devastating to me.  If I miss 24, I may go into melt down. ...  Only kidding.)

Now what about cell phones, PDA's, Fax Machines, Time Clocks, switches, routers, NTP appliances and PBX's?  How many of them have the code imbedded to change to DST on the first Sunday of April and the last Sunday in October? This is just the tip of the iceberg.  Each company will have to look at the impact that this change will have on you.

According to Microsoft these are their products that will be affected by the change.

Microsoft products affected by the DST legislation
Windows Client
Windows Server
Windows Mobile
Microsoft Windows SharePoint Services
Microsoft Exchange Server
Microsoft Office Outlook
Microsoft Dynamics CRM
Microsoft Biztalk Server
Microsoft SQL Server Notification Services
Microsoft Entourage

Now for the OS's and how they are going to handle it.

Windows 2000 Server and Professional

The news is not good for those of us still forced to run Windows 2000, either server or workstation.  Windows 2000 is going to require a manual process be done to update the timezone database and the registry keys for the current control set.  I downloaded and watched the webcast on the steps to do the process and the information contained in the webcast was very helpful.

To view the webcast go to:
www118.livemeeting.com/cc/msevents/view

For those of you that don't want to take the time to view the webcast, you will need to look at the information in the Microsoft Knowledge Base articles number KB914387 and KB928388.  The first article is the step by step procedure for making the change to your timezone database and the registry settings.  The second is a Time Zone Editor tool that will help you if you just want to change the timezone that you or the computer is located in.  (This is not recommended, especially for laptops that travel.)

It looks like the entire process may take between 15 minutes and a half hour to complete.  I haven't had a chance to follow the procedure yet so can't give you a definite time. 

Windows 95/98/ME/NT Server and Workstation

For those of you still using Windows 95, 98, ME, NT 4 server or workstation, it is time to upgrade.  Of course upgrading may mean buying a new computer.  Sorry about that but that is the price of progress.  Technology continues to change and we just have to change with it.

Windows XP (SP1) and I assume XP Home Edition

These OS's are no longer supported so I am not sure exactly what those who have them are supposed to do.  Perhaps someone from Microsoft can fill us in.  I know that there are a lot of home computers still running XP Home.

Windows XP (SP2) and Windows 2003

There is a patch available on the Microsoft download site and will be in the Update Patch cycle sometime in early March.

Windows Vista

No updates are needed. It is shipping with the new Timezone Database installed.

Microsoft Exchange, Outlook, Biztalk Server, SQL Server or any of the other items listed in the table above would be advised to check the Microsoft article about what the requirements for them will be.

www.microsoft.com/windows/timezone/dst2007.mspx


It looks like Redhat has released patches for their OS's, as well as IBM, Novell, Sun, Cisco, Fortinet, Apple and the list goes on. For more info and additional resources check out:

www.edgeblog.net/2007/daylight-saving-time-the-year-2007-problem/

Applications like Oracle, MySQL, Java also have issues that need to be addressed.  The information for these can be found at the above website.

Now for those of you that say... Ok this is it. I do it now and I am done with it.  Well, maybe not.  Take a look at the information provided at:

webexhibits.org/daylightsaving/b.html

Specifically the paragraph that states, "The Secretary of Energy will report the impact of this change to Congress. Congress retains the right to resume the 2005 Daylight Saving Time schedule once the Department of Energy study is complete." 

I think what that means is that this is a test year. If they don't like it they can change it back.  Ok so then does that mean that next year we have to do the whole thing over and reverse what we did this year??? 



0 Comments

Published: 2007-01-31

Vivio Lure Spreading Crimeware

Websense Security Labs reports that they have discovered another information stealing, malicious code attack that appears to be a coordinated effort of the Russian and Brazilian bad boys.  The program is spreading via email by email receivers clicking on a link included in an email.  The page attempts to infect the PC by downloading and running a program called stylecss.exe. (If your computer is properly patched the program will not run.)  Once infected the program is designed to steal banking information from banking websites. 

For more information see the write at:

www.websense.com/securitylabs/alerts/alert.php 

0 Comments

Published: 2007-01-31

Blocking .exe attachments

"Storm Worm" and a recent rash of simple .exe attachments showed how easy it is to still trick users into clicking on executables that arrive via e-mail. On the other hand: Why do users still receive attachments which they are not supposed to click on. In this diary, we are trying to summarize some simple recipes to block attachments with given extensions for different mail transport agents (MTA). Feel free to submit your own. We will keep adding amending. The start is from a quick google search and consulting with our handlers.  Also, we should mention that for some of us, this sort of a default allow stance (allow anything not explictly denied) grates a little.  We'd prefer to explicitly whitelist those attachments that must be allowed for business purposes and deny everything else, but for the rest of this story, we'll assume the default allow stance most of us have inherited.

Postfix:


Postfix uses 'mime_header_checks' to apply regular expressions to incoming e-mail. You can use the following expression to filter attachments based on extension:
/^Content-(Disposition|Type).*name\s*=\s*"?(.*\.(
bat|exe|scr))(\?=)?"?\s*(;|$)/x
REJECT 598 Attachment name "$2" may not end with ".$3"
(this example filters .bat, .exe and .scr, see references below for a list of other extensions you might want to consider blocking)

Procmail:


The procmail recipe can use the same regular expression used by Postfix:

:0
* ^Content-(Disposition|Type).name\s*=\s*"?(.*\.(bat|exe|scr))(\?=)?"?\s*(;|$)
/dev/null


Amavisd-new:

 

Amavisd-new can be configured to block based on filename by setting up the following in amavisd.conf (note, that amavisd-new can also do more accurate checking based on examining the file 'magic' values as shown in the second regex below, so simply renaming a .zip to .piz, for example, won't allow the attachment through):

$banned_filename_re = new_RE(
   qr'.\.(bat|exe|scr)$'i,
   qr'^\.(exe|zip|lha|tnef)$'i,    # banned file(1) types
);


Sendmail:

The preferred method to block these in sendmail (8.12.x and later) is with a milter.  One of the most popular is MIMEdefang (http://www.mimedefang.org), which includes a default filter that blocks these and a number of other "bad" file types.

References:


http://support.microsoft.com/kb/883260/ - describes the XPSP2 Attachment Manager and lists dangerous types

0 Comments

Published: 2007-01-31

New? Microsoft word vulnerability used as vector in targeted attacks

Symantec is reporting on what might possibly be yet another unpatched vulnerability being exploited by the bad guys out there. It seems to be used in targeted attacks. We're seeking samples, confirmation, CVE name etc. at this point.

Even though it appears there might be little gain in once again trying to convince people not to email office documents, not to open them, etc. some renewed attention might be required.
If five unpatched vulnerabilities is the risk level you need before being allowed to act and start to filter, you might have your "go" at this point. The oldest of the 5 vulnerabilities is publicly known since December 5th, 2006.

Let's hope at least some of them get patched in February's Black Tuesday patches.
--
Swa Frantzen -- net2s.com

0 Comments

Published: 2007-01-29

Windows Vista availability

Tonight, Windows Vista will go on sale to consumers. For many Microsoft subscribers (mostly businesses), it has been available since December. If you have any particular security related "gotchas", let us know.

A couple things to consider before jumping into Vista:
  • Make sure your Anti Virus solution works with Vista.
  • Windows Vista's firewall is configured by default to allow all outbound connections. You may want to tighten this down. There are a few specific outbound "allow" rules which you should probably keep enabled (for example for DNS and DHCP). So by default, the outbound firewall comes with "all traffic allowed" + specific "allowed" rules. I know, this sounds reduntant. But the idea is to keep your system working even if you switch the default rule to block outbound traffic.
  • Note that Windows Vista will not prevent users (or administrators) from doing stupid stuff ;-). If ou know how to secure XP or your current Windows version, stick with it for production use until you are familiar with Vista.
As with all major upgrades like this: Test! Test! Test! Don't implement with haste. Ultimately, this will be a forced upgrade as support for XP will be ceased at some point. So look at alternatives (e.g. Vista or another OS) in time. Support for XP will be available for at least 12 more months. See http://www.microsoft.com/windows/lifecycle/default.mspx

0 Comments

Published: 2007-01-28

DNS security & new BIND releases

Last Thursday, the Internet Systems Consortium released new versions of the popular BIND DNS server software. The new releases, 9.2.8, 9.3.4 and 9.4.0rc2 contain fixes for two security vulnerabilities that were identified early January.

The first vulnerability, assigned CVE-2007-0494, is only exploitable in those BIND configurations that use DNSSEC validation through the use of trusted-keys. During the validation of responses to type * (ANY) queriesthat returns multiple RRsets certain assertion checks can be triggered (which could cause the daemon to exit). This is still a fairly low impact vulnerability – the SECspider at UCLA only knows of 722 DNSSEC enabled zones on the internet.

In the second vulnerability, assigned CVE-2007-0493, certain requests could cause named, the actual DNS server of the BIND software, to read a freed fetch context. This would cause named to exit, allowing a remote attacker to perform a DoS attack against the server.

The impact of many DNS vulnerabilities can be mitigated by using best practices in the design of a DNS architecture. For example, disabling the ability of external users to run recursive lookups against your servers can simultaneously limit the scope of the above vulnerabilities, increase performance for legitimate users and prevent your servers from being used in an amplification denial-of-service attack. Nevertheless, measurements by the Measurement Factory show that as recently as August 2006, 52% of all DNS servers on the internet still allowed recursion by clients outside of their administrative domain.

Even though these specific vulnerabilities are ranked as low impact, if there’s one security improvement you consider this week, make it a thorough check of your public DNS servers – do they allow functionality that isn’t required, such as open recursion? The NIST has an excellent document on implementing secure DNS, and Team Cymru's Secure BIND template can prove most useful.

The Center for Internet Security www.cisecurity.org has a template available as well.

 


Maarten Van Horenbeeck

0 Comments

Published: 2007-01-28

Fixing the broken hashes

One media source reported earlier this week of a ‘breakthrough finding’ in attacks on SHA1. Some readers wrote us quoting the article, asking what was up. The article in fact referred to a well-known finding in early February 2005, when a Chinese research team announced they had found ways to identify collisions in a much faster way than purely through brute force attack.

As SHA1 generates 160 bits of output, there are 2160 potential output values. Due to the birthday paradox, brute force attacks against SHA1 would as such have taken 280 iterations to find a collision – two messages with an identical hash value. Technically this attack would be difficult to achieve on current hardware.

The 2005 findings by Xiaoyun Wang and her research team decreased this to 269 hash operations. As this is purely a collision attack, its use as an attack strategy is limited to certain situations in which system designers require strong collision resistance.

There are already certain hash functions that are not affected by these recent attacks. NESSIE, a European Commission research project identified a number of recommended hash functions. These included Whirlpool, as well as the SHA-based functions SHA-256, SHA-384 and SHA-512. The project reported negatively on SHA1 due to its short output length of 160 bits. In March of 2006, the National Institute for Standards and Technology (NIST) started advising against the use of SHA-1 for implementations that require collision resistance and suggested some of those same alternatives.

This week, NIST released a draft minimum requirements list for candidate hash algorithms to replace SHA-1 as the Secure Hash Standard. They are actively soliciting input in order to allow for the organization of a new public competition, similar to that used to select Rijndael as the AES standard.

The advice fellow handler Dan gave back in 2005 still stands:
- know where the affected hash functions are used in your organization;
- identify the cryptographic services they deliver in each instance;
- identify which types of service are affected by new attacks;
- liaise with your vendors and developers to ensure availability of alternatives where necessary;
- closely track standardization efforts to ensure implemented alternatives are peer-reviewed and widely supported.

Maarten Van Horenbeeck

0 Comments

Published: 2007-01-27

Incident & Information Sharing conundrum

I have had a conversation with T.C Piits (The Common Person in itsec) over the last month or so.
T.C. approached me and said "We were eaten alive by a "very limited, targeted attack" we discovered
four weeks ago. Not only did we get eaten alive, it's now evident from public list posts that other
environments were also exploited. Within two days of discovering the security breach we had a
complete analysis finished. I can't share the results of our in-house reverse engineering and
forensics analysis, nor can I share the results of our managed security service providers reverse
engineering. I can share that forensics determined that the attack had successfully ocurred
6 weeks ago. And here it is, four weeks after analysis was completed, and there's still no detailed
public information available about what the attack accomplishes. I'm sure other networks were
penetrated. Got any thoughts?".

And I responded, "T.C, you have a conumdrum, and so does everyone in the itsec community.". "It's
clear that attackers, vendors, and other groups like ISAC's, share some information between
themselves and with their customers. However, its evident in this day of "very limited, targeted
attacks" that detailed "analysis" is usually under an NDA, with a few occasional exceptions. Knowing
the attack is difficult to detect, other itsec shops that have been subjected to this "very limited,
targeted attack" are out of luck in this situation.".

T.C. responded with "Do you have any suggestions to solve this conumdrum?".

And I said "It's evident that attacker and defender alike are following the "pay to play" business
model. Most people do not have any problems with that business model, getting paid for your
intellectual efforts is OK with me. However, the disclosure/sharing problem you're describing is
huge, if information concerning "very limited, targeted attacks" is not shared, everyone in itsec
and our organizations will suffer more as time goes on. As a suggestion, see if you can work
out an IR policy and procedure within your organization for sanitizing and releasing information you
think is important for others to know. You might also try to get a "responsible disclosure" policy
and procedure established with and at any ISAC you belong to. And don't forget you can work out a
"responsible disclosure" agreement with SANS ISC.".

T.C. then says "I have a related question, what about "responsible disclosure" for those itsec shops that
have to rely on MSSP's that NDA their paid for analysis information?".

I respond "Yes, a bigger conundrum. Well, I would hope that their MSSP's would fulfill their
responsibilities to their customers and also have an NDA policy and procedure with customers that
allows them to, directly, or through a trusted third party, publically release helpful "very
limited, targeted attack" analysis in a timely manner.".

So T.C says "Well, I'll bring these ideas up at work, it would help the effort if the ISC referenced
this problem though. Ideas from staff are generally ignored because they were "invented here" if you
know what I mean.".

And I respond "Will Do!.".

0 Comments

Published: 2007-01-26

Malware author wants to gain attention via Windows Live Messenger password stealer

ISC reader Ng Keng Lim shared with us a malware specimen that poses as Windows Live Messenger. The messenger attempts to steal the victim's Windows Live logon credentials by capturing them, saving them to a local text file, and emailing them to the attacker. It is available as a free download from the author's website.

The most interesting aspect of this specimen is not its functionality per se, but its purpose. As far as I can tell, its main goal is to bring attention to its author's website, probably to generate ad revenue or to use the site for launching browser-based attacks.

When launched, the program presents a standard login screen that users of Windows Live Messenger are accustomed to seeing. When the user attempts to log on, the program writes the credential to a local file. By default, this file is called "pas.txt" and is placed in the root of  the C: drive. Its contents look like this:

www.malwareauthorwebsite.com
Username: victim@example.com
Password: password1
www.malwareauthorwebsite.com
The "www.malwareauthorwebsite.com" website is not the real address--I didn't want to specify it here--but you get the idea. This is just one of the places where the author reminds the victim or the user of the program's origins. When the victim attempts to exit the fake Windows Live Messenger, a browser window pops up, loading the program author's website.

I came across a forum discussion where the participants were warning each other about this malware specimen. The supposed author of the program commented as well, stating that he or she was the creator of this program: "you can come take a look at my site." The comment also included the person's alias, which is probably an attempt to build a reputation for him or herself.

The person's website distributes the program as a free download. The potential attacker can customize it by entering the secret password in the field where the victim would type his or her Windows Live email address. This brings up the screens with the following options to adjust the behavior of the program:



Customization screens allow the attacker to select the name of the file where the passwords are stored, modify the password used to get to the customization screens, select the email address where to send harvested logon credentials, and so on. The options menu is another place where the program's author includes a link to his or her website.

Several versions of the malicious program have been released. The file that represents the current version has the following properties:
Size: 1513472 bytes
MD5 hash: a7a75a56b4b960c8532c37d3c705f88f
SHA1 hash: e69d26db431e383131826fab5db213559ee68814
None of the anti-virus vendors I checked currently detect the latest version of program as malicious, although Sophos includes a brief description on its website, calling it Troj/Msnfake-M.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com

0 Comments

Published: 2007-01-25

Citrix Vulnerability

This is for Citrix users: Time to Patch!
Another vulnerability was disclosed that affects the Citrix presentation plataform.
This one, discovered by the ZeroDayInitiative is a buffer overflow vulnerability and received the CVE ID of CVE-2007-0444 (not much info there) and affects the Citrix Presentation  Server 4.0, Metaframe XP 1.0 and  Metaframe Presentation  Server 3.0.
If sucessfuly exploited, an attacker will be able to run code as System.
Exploit for this vulnerability is available, so I really recommend the usual test and patch procedure!
Citrix has information about this vulnerability and the proper measures to take.

Update:

Here you can find more info regarding this CVE number.

0 Comments

Published: 2007-01-25

Malware Analysis Quiz 7 - results

Today I just posted the results of my latests quiz, the Malware Analysis Quiz 7. The quizes are available here . The latest quiz and results are available here . This one was related to the Themida packer (of course that they didnt know that before:) ) already discussed in our diaries. Even for those that do not follow the quizes, I recommend some reading to learn with those that sucessfuly finished this one!

0 Comments

Published: 2007-01-24

Cisco vulnerabilities

Several readers have written in that Cisco just released three security bulletins regarding issues in the Cisco IOS software:

Crafted TCP Packet can cause denial of service
A remotely-exploitable memory leak in the Cisco IOS software could lead to a denial of service condition. This vulnerability applies to much of the IOS 12.0, 12.1 and 12.2 code base.

Crafted IP Option vulnerability
Routers and switches running IOS or IOS XR could be vulnerable to a remotely exploitable craft IP option DoS attack. This is a significant issue as in some cases it has the potential to allow for arbitrary code execution.

IPv6 Routing Header vulnerability
Certain crafted IPv6 Type 0 routing headers could crash a device running IOS.

We are currently performing a more detailed analysis of each of these vulnerabilities and will post updates to these issues shortly. As a form of triage we believe organizations are most likely to be affected by the 'Crafted IP Option vulnerability', which simultaneously has the highest potential impact. 

If you run Cisco switches or routers in your network, we advise you to review these bulletins in detail and take mitigative action where required.

0 Comments

Published: 2007-01-23

Fix for quicktime arbitrary code execution

     Apple has provided a fix for an buffer overflow vulnerability in RTSP urls.  The fix is available for: "QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8, Windows XP/2000".

For Windows users: The patch is only provided for OS X. As a Windows user, your best bet is to uninstall Quicktime and if you still need it download the newest version from Apple later. You can find it by clicking the "Quicktime" tab on Apple's home page (www.apple.com) and follow the download links. Its not clear if the version that is available right now is vulnerable or not. But it does not appear to have been updated recently.

     Many thanks to Juha-Matti for bringing this up.

0 Comments

Published: 2007-01-22

My CERT/SIRT...

We probably all know the situation. It is when we reach out for help, to share information, or just to chat. At the other end you don't get that warm cosy feeling. Your National/Organizational/Local CERT/SIRT/CSIRT... doesn't appear to care or have time for you. They are supposed to support the constituency you represent, excepting that there seems to be a discrepancy in between how you perceive it and they do. What to do?

Option 1: Completely ignore them. Stop sending any incident data, stop answering their calls. You know it isn't the best way to behave but you don't feel you have a choice.

Option 2: Smile and nod. Slowly stop sending them any data, but politely answer their calls.

Option 3: Grin and bear it. Not the most fun option. Although you might not receive anything of perceived value in return you still feed data and hope for a better day.

You actually do have a choice, and I urge you to use it. Always voice your concerns to your local, organizational, association, national and law enforcement representation. They might not always immediately pay you back, but I do believe that good turns do pay back dividends.

Serge Responds:
I saw your diary entry about "Your National/Organizational/Local
CERT/SIRT/CSIRT" and feel this is only half the truth.

We operate a CERT for the Swiss Universities and for the government program MELANI (www.melani.admin.ch). In the later function we are the Swiss national CERT.
In that function we often get requests, from organizations that charge money for their services. Many of these request could be solved without our involvement. Having us look after this incident essentially means the requester has given us his homework to do, diverting our resources away from other important work. Usually we reply saying we are happy to help, if their attempts to fix the problem failed. Most of the time, having helped, we don't even get an acknowledgment and much less a "Thank you".

At other times we get very rather rude (automated?) request "To fix this", but never get a replay when asking back, what it is, that we should fix.

It always takes two to a tango. We are happy to help if we can and feel the request is something where we can make a difference. We have a hard time reacting, when we feel someone else is outsourcing his work to us, of course free of charge. That's a message you should get out too.

Sincerely
Serge Droz

 

Cheers, Adrien.

 

 

0 Comments

Published: 2007-01-22

Remove old JRE!

As new versions of the Sun Java JRE keep coming out to address security vulnerabilities do NOT forget to remove the old versions. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run, update the applications and then update the JRE, and then remove the old JRE versions.  Why? A Java applet can request which version of JRE it wishes to use, that's why.


UPDATE 26/01/2007

Readers Jim and John both wrote in to let us know that  since 1.5.0_06 Sun has changed the way Applets and applications can specify the Java version to run.

More information here.

And here.

How to.

Corporate silent install/uninstall (Thanks Andrew!)

Active Directory Deployment.

BTW: "The Sun Java Runtime Environment contains multiple vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system"  released today. Either permanently disable Java AND Jscript in your browser(S) or keep as close an eye on JRE versions as you do Microsoft Windows patches.

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102731-1

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1

Cheers, Adrien de Beaupré

The US-CERT info linked to in the Diary says;
Systems Affected
Sun Java Runtime Environment versions
a.. JDK and JRE 5.0 Update 9 and earlier
b.. SDK and JRE 1.4.2_12 and earlier
c.. SDK and JRE 1.3.1_18 and earlier
Update at;
http://java.com/en/download/index.jsp

BSSI/Cinnabar

 

0 Comments

Published: 2007-01-21

Contact Page

Readers, we are going to develop a contact page for you to use when trying to troubleshoot an Internet issue or to report a situation to the right authority.  To do so, we want to point to "directory" pages where other groups have already vetted a certain membership.  For example, see these groups:

FIRST (Forum of Incident Response and Security Teams)
Terena (Trans-European Research and Education Networking Association)
AP-CERT (Asia Pacific Computer Emergency Response Team)

If you know of other sites with vetted members working to keep the Internet safe, send them to us via our contact form.  We'll update this diary entry as they come in, then we'll build the permanent page in the next day or so.

By the way, CERT teams are only part of the solution. Lists of law enforcement groups that can investigate cyber crime, lists of ISP NOCs, and lists of consumer protection groups are also helpful.

Thanks!

Marcus H. Sachs
Director, SANS Internet Storm Center


UPDATE 1535 GMT  21 Jan 07:
Thanks to everybody who has sent links so far.  Here's a few that we have received:

EEIC (Electronic Evidence Information Center)
APWG  (Anti-Phishing Working Group)
IC3 (Internet Crime Complaint Center)

Remember that we're looking for lists of sites, not the sites themselves.  However, if you know of a site that may not be on somebody's vetted list please send it to us.


0 Comments

Published: 2007-01-19

Spam asking for a dollar to unsubscribe

     Chris Barton from McAfee pointed out a fraud coming from Russian spammers .  Their translation shows the spammer asking for $1 to be transferred via either Web Money or Yandex Money.
     While the fraud may not be new, it's the first time I've seen a fake unsubscribe offer request money from the target.

0 Comments

Published: 2007-01-19

Sun Java Vulnerability in processing GIF images

Sun has released an alert notification regarding a vulnerability with the JRE (CVE-2007-0243 )

The alert states that an overflow vulnerability may allow the escalation of privileges.

The recommendation from Sun is to upgrade your JRE.  Information in the article is provided regarding the download locations and the relevant version depending on your level of the JRE.

Mark H
ISC Handler On Duty
shearwater

0 Comments

Published: 2007-01-19

European Storm Video E-Mail



UPDATE:


A new variant of this virus has surfaced over the last 3-4 hours.  This variant is slightly smaller than the original.
MD5 checksums for the files are:
  • cf6c72dfa5a05beb46f21a21cb6d3487  for the original version
  • b9a0d6c8493ad79c2c09137871b95672  for the new variant
(If you have a file that does not match the above two signatures feel free to submit it)

AV products are picking up the original, only some are picking up the variant (that should change over the next few hours).

The subject and file names are changing as well in line with the news headlines of the day.  In addition to the subjects mentioned in Part 1 we have seen:
  • Chinese missile shot down USA aircraft
  • Chinese missile shot down USA satellite
  • Chinese missile shot down Russian satellite
  • Russian missile shot down USA aircraft
  • Russia missile shot down USA satellite
  • Russian missile shot down Chinese aircraft
  • Radical Muslim drinking enemies' blood
  • Sadam Hussein alive!
  • Sadam Hussein safe and sound! 
Many readers have reported that their Anti Spam filters capture the files.  If you are blocking executables, then at the moment things should be fine in your camp.

We'll keep you updated.

Mark
ISC Handler On Duty
Shearwater

0 Comments

Published: 2007-01-18

Microsoft Releases update for Excel 2000

Microsoft has released the update to fix the issues with the Asian languages.  It is available on both the Windows Update site and the Office Update site. Microsoft re-released this because the update originally released on January 9th did not fully protect against the issues described in the bulletin.  The update released today corrects the problem.  For more information see:

www.microsoft.com/technet/security/Bulletin/MS07-002.mspx

If you are not running Excel or are running a version other Excel 2000 you do not need to apply the patch.  If you are running the affected version  you will be prompted to apply the new update.

0 Comments

Published: 2007-01-17

Port 20000/TCP Activity

We've been noticing a fair amount of activity on port 20000/TCP over the last month or so.

http://isc.sans.org/port.html?port=20000

This port has been reported as the default port for Usermin servers and the National Vulnerability Database (NVD) at NIST does show several Usermin issues in the last year, but nothing obviously related to the current activity.

CVE-2006-4246
Published: 9/19/2006 CVSS Severity: 3.3 (Low)
CVE-2006-4542
Published: 9/5/2006 CVSS Severity: 7.0 (High)
CVE-2006-3392 (VU#999601)
Published: 7/6/2006 CVSS Severity: 2.3 (Low)

Anyone else seeing this activity or have any insight? Packet captures, shellcode, malicious binaries, whatever are always welcome.
Submit via the contact page.

0 Comments

Published: 2007-01-16

Oracle Critical Patch Update - January 2007

Gary wrote in to let us know that Oracle has released their quarterly critical patch update.  The January 2007 update includes 51 security patches that affect a wide swath of products.  For more details about the update, please see the Oracle patch update notice at http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html.

0 Comments

Published: 2007-01-15

OSSEC turns (v)1.0

For those of you who don't follow the loganalysis mailing list, Daniel Cid announced over the weekend that ossec has now reached v1.0.  More info can be found at http://www.ossec.net/wiki/index.php/News

0 Comments

Published: 2007-01-15

Dealing with images in your spam

A few years ago, I finally purchased my own domain and set up a small mail server running on a Linux box.  This server is used to host a couple of small mailing lists I run and to handle e-mail for my immediate family.  I have a total of 8 or 9 e-mail addresses that end up being forwarded to my server to end up in my inbox there.  I also have fetchmail running to pop e-mail for the entire family and deliver it to their mailboxes that I then serve up on my home network via imap (actually imaps, but that doesn't make any difference for this discussion).

I had administered rather large sendmail installations in the past and actually got to be quite good at sendmail.cf-fu, but for my server at home I decided I wanted to dig into postfix a little more.  At this point in time, I had not done anything overly complex in postfix, though I had built and packaged it for some Solaris servers/workstations that were under my administrative control at the time.

Anyway, once I got postfix set up initially, I knew I'd need to add anti-virus and anti-spam.  Fortunately, my Linux distro came with amavisd-new.  I'm not going to go through all of the details and settings I played with to reach something I was initially comfortable with, but there are a number of  'how-to' type documents at [1], that tell how to set-up Postfix with amavisd-new, spamassassin, and your choice of anti-virus.  Since my server is relatively lightly loaded and only has a few users who receive e-mail (my various addresses --used for subscribing to mailing lists, etc.-- account for well over 95% of all the e-mail received by this machine), I decided to cover all my bases.  I now run 5 different anti-virus packages (several free, the rest cheap for a simple home setup).  Eventually, I decided I needed to play with some of the more advanced features/options of Postfix so I got a couple of books.  My favorite (though, by no means the only good one), was [2] and I anxiously await the second edition which they are apparently working on.  As, a result of reading the book, I found Ralf's blog on Amazon, too [3].  I'll come back to that in a minute.

As I tried to tune spamassassin, I found the SARE (SpamAssassin Rules Emporium) at [4], which has a bunch of useful rules, some of which I've added to my collection.  I also wrote a few of my own and spent a lot of time playing with the scores of various rules.  At one point in time, I had virtually eliminated spam in my inbox (I have a procmail rule that sorts messages marked as spam into a separate folder).  Unfortunately, I had too many false positives, that is, I was marking too much legit e-mail as spam.  After a little more tuning, I finally reached the state where I had very few false positives (maybe 1 every other day or so) and I realized that almost all of the false negatives (spam getting past the filters) had images in them.  Now, I read my e-mail as plain text (see http://isc.sans.org/diary.html?storyid=1551http://isc.sans.org/diary.html?storyid=1918 and Spaf's blog for other discussions of that subject), so I had no idea what was in these images, I just saw that there were images as attachments on these messages.

That brings me back to [3], in reading back through old entries, I noticed that Ralf had mentioned (back in Sep 2006) using FuzzyOCR [6], to reduce some of this spam.  It turns out (and maybe all of you already knew this) that most of those images contain the same kind of fuzzed references to cheap pharmaceuticals or stocks that could bring quick profits, that I was filtering successfully from the body or headers of the messages.  As a result, I looked at [7] and then [5] and found a couple of new (to me) tools to help deal with some of this remaining spam in my inbox.  I've only been running this setup for a little over a week, but the result has been that I have had no more than 1 or 2 false negatives and 1 or 2 false positives a day since I starting running FuzzyOCR and ImageInfo (well under 1% of my e-mail), so I'm pretty happy with them.  I realize that running OCR software against all inbound e-mail is going to be too heavy a load for the mail servers in most large organizations.  As I mentioned above, my server is relatively lightly loaded and I tweaked the FuzzyOCR config to basically only run it if it hadn't already been determined to be spam by some other means, but I'm quite happy with it.  Of course, this means that the spammers will soon change tactics again to evade these tools, too, but for the moment, it works for me.


References:
[1] http://www.ijs.si/software/amavisd/ (especially the how-to sections)
[2] Ralf Hildebrandt's Postfix book
[3] Ralf's Amazon blog
[4] http://www.rulesemporium.com/
[5] http://www200.pair.com/mecham/spam/image_spam.html
[6] http://fuzzyocr.own-hero.net/
[7] http://www.maiamailguard.com/maia/wiki/FuzzyOCR23


Jim Clausing, jclausing ++ at ++ isc dot sans dot org

0 Comments

Published: 2007-01-14

TCP Port 6503

We have noticed that earlier today there has been an increase in both sources and targets of port 6503.   The first thing that went through our heads was "What would Jack Bauer do?"   And then we realized, Jack is currently in a Chinese Prison.  Better for us to call on Chloe for help.  

Or we could turn to our readers for packet captures.  So if you are seeing increased traffic to this port, and have packet captures of something other then just SYNs, please submit them to us.


*Note: For those that don't realize, many of the ISC Handlers are big fans of the tv show "24" whose season premiere is Sunday night in the states.  So it is party time for those of us who are fans of the show.

0 Comments

Published: 2007-01-14

SSL and Ecommerce Authentication

Good afternoon all. I know that there is a chance that this may come off as a rant, but it is not intended as one.

In the past 24 hours it came to my attention that Citibank has somewhat recently made a change that one of our readers (Thanks Dan) to their authentication website. In 2006, if you visited http://www.citicards.com it would redirect your browser to their secure site located at https://www.citibank.com/us/cards/index.jsp . This is very appropriate as we have trained our users to look for the HTTPS and the lock in the web browser to help protect their information. However, as of today by default Citibank is no longer redirecting you immediately to the secure site. So one can connect to the website and end up on an authentication page that is not encrypted. However, the post action of the form does actually use the HTTPS server for its communication.

I have seen other e-commerce and web based mail systems that have done similar things. I have also seen many of the popular web email sites only protect the authentication portion of the communication. This does protect the authentication tokens, but how well does it protect all of the other communication that occurs after this point.

So how are we as security practitioners supposed to educate our developers and/or our end users when things are or should be encrypted and when things are not absolutely necessary. In the case of Citibank, is it appropriate to require their customers to either read the source code to verify the authentication form is encrypted, or are we supposed to just trust that they are doing thing appropriately?

While I try to find a new way to educate our users, I will continue to recommend that authentication web forms should start on an SSL page, and should remain SSL until the end user logs out. I also recommend that developers be aware of recommendations like those developed by the OWASP Project when building secure sites.





0 Comments

Published: 2007-01-14

DMG Handling Vulnerabilities on MacOSX

In the past week, the Month of the Apple Bugs website has shown a number of vulnerabilities with how MacOSX handles DMG files.  DMG files are the Macintosh OS X Disk Copy Disk Image Files and similar to ISO images.  As they can be mounted, read, opened using various software packages (such as the Safari web browser and the command line utilities like hdiutil), specially crafted forms of this file may cause denial of service attacks, and remote execution flaws.

Of particular note, on January 10 a vulnerability was identified which could allow attackers to execute arbitrary commands.  This is caused by a flaw in the ffs_mountfs() function when handling specially crafted DMG files.  The Safari web browser can be used as a conduit for exploitation of this and other DMG vulnerabilities.  I would assume that alternate browsers on MacOSX, do not have the same support for this format enabled by default.  But if the attacker tricks the user to download the specially crafted image file, then I would suspect exploitation could occur through other installed software.

While Apple computers is correcting for the vulnerabilities, I would recommend that you  disable the "open safe files after downloading" option in Safari preferences.  I would also be cautious handling DMG files with any other applications on MacOSX.

For more information on all of the Apple DMG vulnerabilities released so far, please see:
Apple DMG HFS+ do_hfs_truncate() Denial of Service Vulnerability
Apple DMG UFS  ufs_lookup() Denial of Service Vulnerability
Apple DMG UFS byte_swap_sbin() Integer Overflow Denial of Service Vulnerability
Apple DMG UFS ffs_mountfs() Integer Overflow DoS and/or Code Execution Vulnerability
Apple Finder DMG Volume Name Memory Corruption  DoS and/or Code Execution Vulnerability


For more information on the ffs_mountfs() vulnerability, please see:
http://projects.info-pull.com/moab/MOAB-10-01-2007.html
http://applefun.blogspot.com/index.html
http://secunia.com/advisories/23703
http://www.securityfocus.com/bid/21993/info
http://www.frsirt.com/english/advisories/2007/0141

0 Comments

Published: 2007-01-13

YaY Popup Update

A quick update. Trend Micro has detected this as TROJ_ZONEBAC.F (Thanks to our reader smallmo).

0 Comments

Published: 2007-01-13

Snort Vulnerabilities

Two vulnerabilities are reported recently. One is pertaining to Rule Matching Backtrack Denial of Service Vulnerability.  A attacker may cause denial of service, which could allow the remote user to evade detection. This issue is fixed in v2.6.1.

http://www.snort.org/pub-bin/snortnews.cgi#591
http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf

The other one, affecting Snort 2.6.1.2, is due to an integer underflow that may allow a remote attacker to cause Snort to read beyond a specified length of memory, potentially corrupting logfiles.

The system is only affected if you have compiled Snort to decode the Generic Routing Encapsulation (GRE) protocol. GRE is used to encapsulate arbitrary protocols to a remote host. The vulnerable code is not compiled by default.

Update: The "gre" decoder is usually not enabled by default. In order to enable it, you need to use the "--enable-gre" switch during "configure" to turn on the vulnerable  decoder. See the snort-users list for more details.

Sourcefire has released a fix for this vulnerability in Snort's current CVS tree.

http://labs.calyptix.com/advisories/CX-2007-01.txt

0 Comments

Published: 2007-01-13

Oracle Critical Patch Update Pre-Release Announcement

Oracle has released an advance information on its upcoming quarterly patch that is planned to be released on 16 Jan 07.

This Critical Patch Update contains 52 new security fixes. At least 24 of them may be remotely exploitable without authentication. The highest CVSS base score of vulnerabilities across all products is 7.0.

The affected products include Oracle Database, Oracle Application Server, Oracle E-Business Suite and Applications, Oracle Enterprise Manager and Oracle PeopleSoft Enterprise.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html

0 Comments

Published: 2007-01-12

YaY popup

We're seeing an outbreak of some malware causing pop-ups. It's possibly caused by a file USB.EXE, we're not sure if this is the only name used.

This new beastie is rather obnoxious: it seems to overwrite system binaries such as system tray tools, anti-virus software, instant messaging software, ... It also seems to hijack Internet Explorer and might be calling home that way.
We're currently seeking more information regarding the intial infection vector so if you have anything to share on how the thing started (Email, IM, web, ...) and have some pointers there, we'd be much obliged.

USB.EXE:
MD5:  562eacac46c54b273b42e8b8d89f2782
SHA1: 31dc9ce30a2ddd9dc2c080835f29c0482937f4f6

0 Comments

Published: 2007-01-11

Computer Associates Arcserve Buffer Overflow Vulnerability

Computer Associates today released an advisory and patch that deals with a remotely exploitable bug in CA BrightStor ARCserve Backup tape engine.  From TippingPoint's Zero Day Initiative site:
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Computer Associates BrightStor ARCserve Backup. User interaction is not required to exploit this vulnerability.

The specific flaw exists in the Tape Engine RPC service which listens by default on TCP port 6503 with the following UUID:

    2b93df0-8b02-11ce-876c-00805f842837

The service exposes a buffer overflow in the handler for RPC opnum 0xCF that allows for arbitrary code execution when handling user-supplied data from the RPC request.
Since the service runs on Windows as LOCAL_SYSTEM, an attacker exploiting this vuln could have complete unrestricted control over the victim.

Versions of Arcserve up to and including version 11.5 are vulnerable and admins should visit http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp to pull down the vendor supplied fix.

Question for the community: Is anyone running Arcserve in an enterprise environment *without* running the service as LOCAL_SYSTEM?

0 Comments

Published: 2007-01-11

Port 2968 update - Same as 2967 ever was

Update: The Novell Clients will have Symantec AV listening on port 2968 as well. Not just the server!
This may explain the rise as it exposes a much larger population of systems.

We have captured a fair number of attacks against ports 2968 and 2967 over the past 24 hours and they appear to be identical in payload. The attack is effective against Symantec Antivirus version 10.0.2.2000 and below. The shellcode opens a bindshell on port 8555, which is then connected to and either ftp.exe or tftp.exe are used to download what appears to be a botnet client.

One submitter tells us:
Symantec has widely reported vulnerabilities in clients 10.0.2.2000 and below.  It is a remotely exploitable vulnerability that does not require user intervention.  10.0.2.2002 remediates the problem.

Over the last several days, we've experienced a significant number of systems (missing the Symantec patch) that have been exploited by a worm.  The worm spreads by a number of mechanisms, but namely the Symantec vulnerbility over port TCP 2967.   I was able to capture traffic from an infected host, see attached file.  The worm tries to phone home to 89.163.145.15:6667.  By blocking this on the outbound firewall or router, the worm will stop attempting to spread.  Long story short, be sure to patch your systems!
The question remains, why the port 2968 variant? Since the attack is using Windows shellcode, and running Windows commands for backchannel propagation, why go after the port used on Novell Netware versions of Symantec Live Update?

Your thoughts are welcome, as always.

0 Comments

Published: 2007-01-10

Port 2968 big rise - related to Symantec AV?

Port 2968 is getting quite a jump recently. Take a look at the graph below.

Port 2968 Graph

We suspect the jump is due to the recent Symantec AV 10.1 exploitation. The previous exploits generally hit on port 2967 since that's the port that Symantec AV listens on (for Windows). According to documentation from Symantec, port 2968 is only used for AV running on Netware servers. We are not sure at this point whether the attackers are targeting Netware server since other hosts have all been exploited already or if Symantec AV listens on port 2968 as a backup port. If you have any info on the port 2968 traffic, please let us know.

1 Comments

Published: 2007-01-10

Adobe 7.0.9 released to address the XSS vulnerability

As promised by Adobe, Acrobat 7.0.9 has been released to address a cross site scripting vulnerability. If you are running version 7.0.8 and prior, you should seriously consider to upgrade. Although there are reports that certain combinations of browsers and Acrobat versions are not vulnerable, upgrading might be the easiest path to ensure vulnerability is gone.

This link will get you to download the latest copy of Acrobat version 8, it is not vulnerable to the XSS vulnerability. If you must stay at version 7, there is a link on the same page to download other versions.

0 Comments

Published: 2007-01-09

Microsoft Patches - January 2007 - overview

Overview of the January 2007 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS07-001 Remote code execution in Office 2003 Brazilian grammar checker. Read more...
Office 2003

CVE-2006-5574
No known problems

KB 921585
Exploit publicly available
Important Critical Important
MS07-002 Multiple Remote code execution vulnerabilities in Excel.
Excel, including mac versions

CVE-2007-0027
CVE-2007-0028
CVE-2007-0029
CVE-2007-0030
CVE-2007-0031
No known problems

KB 927198
No known exploits
Critical Critical Important
MS07-003 Multiple remote code execution vulnerabilities in Outlook
Outlook

CVE-2006-1305
CVE-2007-0033
CVE-2007-0034
No known problems

KB 925938
Publicly known exploits
Critical PATCH NOW Important
MS07-004 Remote code execution in VML. Replaces MS06-055.
VML: IE and Outlook

CVE-2007-0024
No known problems

KB 929969
Publicly known exploits
Critical PATCH NOW Important

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

--
Swa Frantzen -- Section 66

0 Comments

Published: 2007-01-09

MS07-01: Brazilian Grammar Checker

MSFT bundles a grammar checker for Brazilian Portuguese with Office. Use this as an opportunity to review what kind of language packs for office you have installed. If you don't read/speak or write a certain language, uninstall it.

Take it in line with the "Principles of Least Privilege" (POLP). Software you don't need can only hurt you. Get rid of it.

0 Comments

Published: 2007-01-09

Port 6502

Port 6502 is showing a significant increase in unwanted traffic:

port 6502

The increase is almost purely TCP.

It seems possible this is related to the activity reported earlier by US-CERT regarding the CA BrightStor ARCserve Backup Tape Engine. It exploits a vulnerability disclosed on November 24th, 2006 for which there doesn't seem to be a patch available.

To be sure what it is, we'd like some packets. Please note we don't need just SYN packets, they are useless for this. We need you to set up something that listens and actively tries to talk as a server on port 6502.   "nc" with the right options comes to mind (options are system dependent, check your man page).

It's interesting to note the length of time that passed on this one if this is indeed still the same vulnerability they are attempting to exploit.

--
Swa Frantzen -- Section 66

0 Comments

Published: 2007-01-09

Vulnerability in Acer’s LunchApp.APlunch ActiveX control

Recently there’s been a series of articles about a vulnerability (if you can call that a vulnerability – it looks more like an open program launcher) in the LunchApp.APlunch ActiveX control that comes preinstalled on some Acer laptops.

The original article, available at http://vuln.sg/acerlunchapp-en.html, dates back to November, but for some reason this hit the news now.
The ActiveX control is very simple and basically allows an attacker to execute any binary on a remote machine by just providing a full path to it and (if need) arguments. The control is also marked as safe for scripting.

I’ve quickly tested this on a new Acer TravelMate and the ActiveX control is certainly there. However, even with Internet Explorer 6 (on Windows XP SP2), it does not run automatically, but will warn the user who has to allow the control to run. Internet Explorer 7 will warn the user with the full control name and will not run it automatically either.

At this point in time, until the patch is available, the best thing would be to set the kill bit on this control – see http://support.microsoft.com/kb/240797 for information on how to set kill bits.

0 Comments

Published: 2007-01-08

Who needs sophisticated malware?

This weekend I received another “postcard” e-mail. It looked different than those seen around Christmas so I went to investigate what’s going on here. The main difference was that this was an HTML e-mail, without any attachments, but with a “hidden” link to malware (of course, by moving your mouse over the link shown by the HTML message, one was able to see where it really goes).
The link was pointing to http://www.pettrans [dot] sk/[removed].exe (the site is still up and happily serving malware).

After I downloaded the malware I did couple of quick tests on my Linux machine, as always with new malware:

$ ls -l PostCard.exe
-rw-r--r-- 1 no no 861031 Dec 28 21:37 PostCard.exe
$ md5sum PostCard.exe
866efca20e87813350e325c92680accc PostCard.exe
$ file PostCard.exe
PostCard.exe: MS-DOS executable (EXE), OS/2 or MS Windows


So it was definitely a Windows executable. At this stage we typically want to know if the malware is packed or not, as that can delay the analysis. There are various ways of identifying packed malware – probably the best way to do this is by using PEiD (peid.has.it), a nice utility for identifying PE (Portable Executable) files. PEiD can do most of the job for us as it has a database of fingerprints for well known packers, and besides this it has a really nice feature of calculating the entropy of the analyzed file. This allows you to determine if a file is packed or not, without knowing the packer – files with high entropy are almost certainly packed or encrypted.
However, before starting PEiD, I usually go the easiest way and that’s to run the strings command on the file. If a file is packed, the strings command typically just shows us couple of imported functions and the rest will be garbled. If the file is not packed we will be able to see all text strings in the file, provided that the author didn’t protect this differently.
Running strings on this malware showed something interesting:

$ strings PostCard.exe | less
=A t
:jgS

[…]

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>


Oh! So the file is “packed”, but it is basically just a self extracting archive created with WinRAR. This can be unpacked with any RAR handling application, and I simply used unrar on Linux:

$ unrar t -v PostCard.exe

UNRAR 3.30 freeware Copyright (c) 1993-2004 Eugene Roshal


Testing archive PostCard.exe

Path=C:\WINDOWS\system\
SavePath
Setup=C:\WINDOWS\system\svchost.exe
Setup=C:\WINDOWS\system\sup.bat
Silent=1
Overwrite=1

Testing download OK
Testing logs OK
Testing sounds OK
Testing aliases.ini OK
Testing control.ini OK
Testing fullname.txt OK
Testing icon.ini OK
Testing ident.txt OK
Testing mirc.ico OK
Testing mirc.ini OK
Testing mircs OK
Testing nicks.txt OK
Testing popups.txt OK
Testing poza.txt OK
Testing remote.ini OK
Testing script.ini OK
Testing servers.ini OK
Testing sup.bat OK
Testing sup.reg OK
Testing svchost.exe OK
Testing users.ini OK
All OK


So it’s a bunch of files packed with WinRAR. We can see an interesting thing here as well. The author used WinRAR’s possibility of specifying the setup script. This is typically used when you download an installation file that has been compressed with WinRAR as a self extracting archive (so you don’t have to have WinRAR on your machine to decompress this). Unrar nicely showed at the beginning what will happen if we execute this file:

Path=C:\WINDOWS\system\
SavePath
Setup=C:\WINDOWS\system\svchost.exe
Setup=C:\WINDOWS\system\sup.bat
Silent=1
Overwrite=1


This file uses silent unpacking mode (so no information is shown to the user) and will overwrite any files it already finds on the system. It will extract everything into C:\WINDOWS\System and upon extraction it will run two files, svchost.exe and sup.bat.
The rest of the analysis was easy – sup.bat file just copied svchost.exe again into the C:\WINDOWS\System directory and set up registry keys needed so this file is started when the system is rebooted. Svchost.exe is a version of the Mirc client and the other files in the archive are simply Mirc configuration files that create a local bot which will join the Undernet IRC network. What’s funny is that the Mirc file was infected with another virus – I bet that even the author’s machine is infected with that virus.

Lessons learned

Due to an easy packer and an old virus almost every AV program detected this without any problem. The effort of creating something like this is absolutely minimal – the Mirc configuration is in various text files and WinRAR was used to pack this.
So what does this tell us?
The huge user base that Windows operating systems have gives enough potential victims that the bad guys do not even have to use any sophisticated techniques. A simple executable file, which was “hidden” by a bit of social engineering was probably enough for them to get a /decent/ infected bot base.
Besides patching systems and keeping your AV program up to date, it is obvious that user awareness/education is the most important element in an average user's protection arsenal.

0 Comments

Published: 2007-01-07

Site Downtime Reminder

This is a quick reminder that isc.sans.org as well as dshield.org will be down for a while starting at 8pm EST. Once I start moving files, you will see just a static image ( isc.sans.org/images/newdesign.png ).

This diary was already written using the new editor (with spell checker!!).

new design

0 Comments

Published: 2007-01-06

Prepared statements in MySQL and PHP

Starting with version 4.1, MySQL offers prepared statements. A prepared statement is a great way to avoid SQL insertion issues. However, frequently prepared statements are not used as they require a bit more typing. So I would like to take this opportunity to show off a few tricks to make it easier to use prepared statements.

First of all, what is a prepared statement:
Without prepared statements to help you, a SQL query is assembled as a string and then passed to the database. You will typically find code like this:

$sQuery="select id from users where email='$sEmail'";
$hResult=mysql_query($sQuery);

The big problem here is SQL injection. What if we don't validate $sEmail well and end up with Mr. '; drop table users; registering?

So how do prepared statements help? Prepared statements execute in stages. At first, you will send the statement to the database, but replace all variables with "?":

$hStmt=mysqli_prepare($dblink,"select id from suers where email=?")

Note that there are no quotes around the ?. Next, we have to associate values to the parameter. This is done using the "bind" statement.

mysqli_stmt_bind_param($hStmt,"s",$sEmail);

The trick here is that MySQL will always consider "$sEmail" as a single value, no matter how many quotes and semi-colons you insert. Did you see that I am now using "mysqli", not "mysql"? mysqli is phps improved MySQL module which enables you to take full advantage of new features like prepared statements. I used the procedural style above, to point out the differences with respect to prepared statements. But in addition, mysqli provides a nice object oriented interface.

Ok. We got our variables bound, and now we need to talk about executing the statement and retrieving the results. The result is bound to a variable pretty much in the same way as parameters:
mysqli_stmt_execute($hStmt);
mysqli_stmt_bind_result($hStmt,$nID);

The real beauty of prepared statements comes to play if you try to execute the same statement multiple times with different parameters. All you have to do is change the content of your bound variable, execute the statement again, and retrieve the results from your already bound result variable. So you don't have to redo the "prepare". MySQL only has to parse your statement once.

But on the other hand, for a quick value retrieval like in the example above, thinks look overly complex.

Enter the object zone. As mentioned above, mysqli is available as a class. And you are free to extend it. You can find the extended class I use on DShield and ISC in our Sourceforge.Net CVS repository.

Couple highlights:
The "simple_query" function can be used to retrieve a single value. The example shown about would look like:
$nID=$oDB->simple_query("select id from users where email=?","s",$sEmail);

All the prepare and bind mess is hidden inside the class.

Or a more complex example. Lets say you would like to dump the output of a query into an HTML table. Something I do a lot for this site ;-):



$sTemplate="  %%port%%  %%count%%  ";
$sQuery="select port, count from port_summary where date=?";
print $oDB->template_query($sQuery,'s',$dDate,$sTemplate,'oddrow','evenrow',600);

"template_query" will fill the results retrieved from the database into a template, one row at a time. "oddrow" and "evenrow" are styles that will be used for odd and even rows respectively. The last parameter specifies a "cache time". The resulting HTML snippet will be cached for just that many seconds in order to save a lot of work if people ask for he same query over and over.

Oh. And before I forget ;-) The extended class above is released under GPL V2. If you are interested in helping to work on the ISC or DShield sites, drop me an e-mail.

0 Comments

Published: 2007-01-06

Good ol' Web Defacements

Shaylan just wrote us "my website has been taken over" ... "people are using them without my permission".

 
He attached a file which is probably collected from his site. It includes a flash animation and redirects to what looks like a Turkish political website. I don't speak turkish, so I am not sure what side/view the site covered. However, the entire episode certainly brought back long subpressed memories about turkish/armenian usenet fights and "hacked by chinese" messages spread by Code Red. Political "hacktivism" has kind of taken a lesser role these days with everybody focusing on making money.

But what are the lesson here?
  1. They are still out there. Usually bottom feeding on the scraps left by bots (or using bots to their advantage of course).
  2. "Best Practices": Its hard to run a hacker-proof website. But its like anything... a little effort goes a long way and keeps out most of the riff-raff.
  3. Shared Servers: Don't use them for business critical web sites. They are fine to run a hobby site from. But for anything else: Get a dedicated system. IMHO, the jury is still out if virtual machines provide enough separation.
Lets see what the weekend brings, but with a bit of luck we will not get flooded by current events and I will find a bit time to discuss web security (or well... if you REALLY want to learm more about web security, see me at RSA early february)

0 Comments

Published: 2007-01-05

ISC Downtime / Redesign

We are planning to move a new design of the ISC site live this weekend. As a result, the site may be unavailable on Sunday evening. At this point, we are planning to make the switch 8-9pm EST on Sunday. So don't be too confused if the site looks all different on Monday.

0 Comments

Published: 2007-01-05

Concurrency strikes MSIE (potentially exploitable msxml3 flaws)

As reported on full-disclosure, MS Internet Explorer is vulnerable to a race condition. The PoC is a Denial of Service, it causes IE 6 to stop responding when tested, other versions are also likely vulnerable. Likely more to report on this flaw in the AM. The author reports that it is possible this issue could lead to remote compromise.

Update:
CVE will be CVE-2007-0099

Cheers,
Adrien de Beaupre 

0 Comments

Published: 2007-01-05

Advance info on Microsoft patches due on Jan 9

Microsoft have published their "Advance Notification" of patches to be released next week. A total of eight security relevant patches is expected, half of them for MS Office. Maybe, just maybe, we are going to get patches for the various little problems currently lurking in Microsoft Word (eg CVE-2006-6456 ).

Update 05/01/2007: Microsoft have announced they will be releasing only 4 patches on their regularly scheduled cycle. Link here.

0 Comments

Published: 2007-01-05

The missing Microsoft patches

Vulnerabilites that are widely known and/or actively exploited are of great interest to our readers, here we try to keep an overview of them

Affected Known Exploits Impact Known since
ISC rating(*)
clients servers
Internet Explorer msxml3 concurrency problems
Publicly posted exploit Remote DoS / Possibly code execution Jan 4th, 2007
unknown
unknown
NetrWkstaUserEnum() memory allocation exhaustion

CVE-2006-6723
Publicly posted exploit Remote DoS
Dec 25th, 2006
Less Urgent
Less Urgent
MessageBox() / csrss double free vulnerability

CVE-2006-6696
Publicly posted PoC exploits for XP, 2003 and Vista

MSRC blog
Privilege Escalation
Dec 15th, 2006
Important
Less Urgent
Office 2004 vulnerabilities (Mac version)

Unspecified vulnerabilites fixed in a accidentally released patch. Patch has been withdrawn after being public and eventually replaced with one without security fixes.
Exposed through a patch by Microsoft.

MSRC blog #1
MSRC blog #2
unknown
Dec 12th, 2006
unknown
unknown
Word unspecified vulnerability #3

CVE-2006-6561
Publicly available exploit.

MSRC blog
Remote code execution
Dec 12th, 2006
Critical
Important
Word unspecified vulnerability #2

CVE-2006-6456
MSRC blog #1
MSRC blog #2
Used in targeted attacks
Remote code execution
Dec 10th, 2006
Critical Important
Word unspecified vulnerability #1

CVE-2006-5994
Microsoft Security Advisory 929433
MSRC blog

Used in targeted attacks
Remote code execution Dec 5th, 2006
Critical Important
RPC in Windows 2000 SP4 UPnP and SPOOLS

CVE-2006-6296
CVE-2006-3644
Multiple publicly available exploits.
DoS
Nov 16th, 2006
Less Urgent
Important
ADODB.Connection ActiveX

CVE-2006-5559
MSRC blog

Public DoS  exploit.
Remote code execution
Oct 24th, 2006
Critical
Important
Workaround: set the killbit for 00000514-0000-0010-8000-00AA006D2EA4
Microsoft Windows NAT Helper Components

CVE-2006-5614
Publicly available exploit.
DoS
Oct 20th, 2006
Less Urgent
Important
PowerPoint 2003

CVE-2006-5296
MSRC blog #1
MSRC blog #2

Publicly available exploit.
DoS
Oct 20th, 2006
Less Urgent
Less Urgent

We will update issues on this page as they evolve.
We appreciate updates

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-caserole.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

--
Swa Frantzen -- Section 66

0 Comments

Published: 2007-01-04

Open Office WMF Heap Overflow Patch available.

Juha-Matti alerted us to the availability of the patch for the Open Office WMF Heap Overflow reported here.

The vulnerability involves an overflow in the processor for WMF and EMF files that could cause arbitrary code to be executed if a victim opens a specially crafted WMF/EMF file.

According to Red Hat this is under review as CVE-2006-5870.

0 Comments

Published: 2007-01-04

Multiple Vulnerabilities in Cisco Clean Access

Fellow handler Jim Clausing (thanks Jim) let us know about new vulnerabilities in Cisco Clean Access (CCA).

Summary

Cisco Clean Access (CCA) is a software solution that can automatically detect, isolate, and clean infected or vulnerable devices that attempt to access your network. It consists of Cisco Clean Access Manager (CAM) and Cisco Clean Access Server (CAS) devices that work in tandem.

Cisco Clean Access is affected by the following vulnerabilities:

  • Unchangeable shared secret
  • Readable snapshot files
The full advisory is available here


0 Comments

Published: 2007-01-03

PDF XSS vulnerability announced at CCC

A new cross-site scripting attack was announced at the 23rd CCC by Stefano Di Paola & Giorgio Fedon:
http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html
The gist of the attack is that you are able to get javascript executed by simple having it appended to the PDF's URL.

This is an example (from GNU Citizen): (line breaks added for aesthetic value)

www.google.com/librariancenter/downloads/Tips_Tricks_85×11.pdf#something \
=javascript:function createXMLHttpRequest(){   try{ return new \
ActiveXObject('Msxml2.XMLHTTP');  }catch(e){}   try{ return new \
ActiveXObject('Microsoft.XMLHTTP'); }catch(e){}   try{ return new \
XMLHttpRequest(); }catch(e){}   return null;}var xhr = createXMLHttpRequest(); \
xhr.onreadystatechange = function(){    if (xhr.readyState == 4)       \
alert(xhr.responseText);};xhr.open('GET', 'http://www.google.com', true)\
;xhr.send(null);

This doesn't require the ability to write the PDF, just the ability to generate a URL that is based on a
PDF hosted on some site.
There are a number of good explanations on this. I liked this one:
http://www.disenchant.ch/blog/hacking-with-browser-plugins/34

The original paper talks about more than this specific flaw and is certainly worth reading as well.

Mitigation: Turning off javascript seems effective at mitigating this. Militant use of the NoScript extension for
Firefox would be my recommendation. Of course you have to turn off javascript for _everything_ (specifically the target domains, not the website setting up the attack. in the Disenchant examples you would have to disable scripting for Google, MySpace, Microsoft, Ebay and BofA) but....

0 Comments

Published: 2007-01-03

Symantec attack uptick reported

Thanks to Mike who sent us the following note about what he's seen on his network. Anyone else seeing similar movement?

The Symantec AV attacks have picked up over the last day or so, as systems that were probably turned off over the holidays are turned on and infected by the worm.  Almost all of the attacks we saw just before Christmas were from other .edus; now we are seeing more attacks from systems in countries other than the US.  About 70% of the 186 systems that tried attacking us today were outside the US.  Brazil and Taiwan take top honors for most attacking hosts.

0 Comments

Published: 2007-01-03

VLC Media Player udp URL handler Format String Vulnerability

Welcome Fans to Day Two of the Month of Apple Bugs!
http://projects.info-pull.com/moab/MOAB-02-01-2007.html
Today's contestants are: the MOAB team and VLC Media Player.
We have a special treat for you today as the vulnerability announced on this lovely Winter morning (okay, it hasn't stopped raining yet today and it was almost dark at 2:30pm and technically it's evening but...) impacts the VLC Media Player on both OSX and Windows.

MOAB team, the reigning champion after their highly noted win against Apple Quicktime yesterday by stack overflow had this to say about their opponent-
"A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC."

After a short bout MOAB was declared winner again by delivery of PoC for both x86 and PPC.
This contender has certainly come out strong but we'll see how they hold up as the month continues. That's all till next time sports fans.

0 Comments

Published: 2007-01-02

Cuckoo's egg on the face

Recently, when I couldn't find anything decent to read in an airport bookstore awash with "get rich quick" and "management" books, I ended up buying a copy of Cliff Stoll's "The Cuckoo's Egg". Yes, I've read this before, like every infosec professional should, but it's been a while. The first time 'round, I had read it pretty much like an entertaining crime novel. Not this time, when I kept asking myself "could this still happen today", and usually ended up answering in the affirmative. Take the password issue. Most of the problems Cliff had to fight revolve around guessable or disclosed passwords. That was back in 1987. Now, twenty years later, a significant portion of the hostile traffic seen by DShield are password guessing attacks against VNC, SSH, SMB. Looks like feeling smug about our achievements as computer security specialists might be a bit premature.



0 Comments

Published: 2007-01-02

Cross-Site (XSS) bug in GMail

Google starts into 2007 with a feature that allows bad guys to steal your GMail contacts list. http://blogs.zdnet.com/Google/ has more. But before you follow any links today, you should maybe make sure that you are not logged in on GMail...

Correction/Update:
This is actually a "Cross Site Request Forgery" (CSRF), not a "Cross Site Scripting" attack. Google had the bug fixed by the time the issue was made public.

A CSRF issue comes up if javascript is used to take advantage of the fact that a user is logged in to a particular site. In this case, hostile javascript can be used to send an HTTP request to the trusted site. In this case, the hostile javascript could be used to retrieve the users gmail contact list.

It is rather hard to avoid these bugs and expect more of them to be found. It is best practice to log out of sites (in particular banking sites) once you no longer need the content. This will limit the attack window for the most dangerous CSRF attacks. Limited use of javascript (should I mention the NoScript extension to Firefox again?) will help as well. But ultimately, this is an issue that has to be fixed by the website.

0 Comments

Published: 2007-01-01

Java 6 Released (in December)

Looking back, I do not see a diary mentioning that Java 6 was released after nearly 2 years of work in December.  Many of the updates to Java involve improved security functionality and memory leak updates.  A full list of updates is available at http://java.sun.com/javase/6/docs/technotes/guides/security/enhancements.html .  I would recommend adding this to the list of things that should be updated in the near future on client computers and servers. 

Thanks Robert for pointing this one out to me. Guess I get to do updates on my computers tonight while watching episodes of 24 and/or the Rose bowl.  Happy New Year all.

0 Comments

Published: 2007-01-01

Apple QuickTime RTSP URL Handler Vulnerability

 The Month of the Apple bugs seems to have started. The first bug is in the handling of RTSP URL's within Quicktime, leading to arbitrary code execution on both Windows and Mac OS. You can find the advisory here:
http://projects.info-pull.com/moab/MOAB-01-01-2007.html.  The MOAB blog states that you should disable the rtsp:// URL handler, however I have not determined how this is done.

Update 1:

Robert helped me find something I was missing.  Guess I am just blind today or was just paying a little too much attention to the bowl games.  To disable RTSP URLs in QuickTime, open the QuickTime control panel.  Then, select the File Types tab.  Expand the Streaming category and make sure the RTSP stream descriptor is unchecked.  Here is a screen capture of this from my Windows based computer.  I assume MacOS X computers have a similar control panel.   I recommend that you make sure that this is unchecked. 

0 Comments

Published: 2007-01-01

Good Morning 2007

Well, 2007 has finally made it to most all of the world. (Only about 4 timezones left to cross midnight as I write this.)  It is now time for you to send your annual membership renewal to the ISC.  If you act now, we will slash our usual price by 50%, so send your checks for $0.00 USD in care of Marc Sachs. :-)

Enough joking around.  A few things to mention to start out the first work day of the year.  I know that many of you have taken time to mitigate these things.  But I suspect many of you were in the same situation as I was regarding taking vacation time prior to the end of the calendar year.  So take heed, there are a few items that need to be addressed along with all of the normal Microsoft monthly updates, and other updates that may have been overlooked due to winter holiday season.

1) In November, Bojan discussed a WinZip vulnerability that was being addressed by an update. Exploit makers have not rested over the holiday break and milw0rm has released exploit code for this vulnerability.  It is advised that WinZip users update to 10.0 build 7245  or version 11 as soon as possible.  (Thanks Juha-Matti for that note.)

2) As a reminder, Symantec Client Security and Antivirus Corporate Edition customer should continue to make a priority of updating your managed hosts.  From the data I have seen at DShield, network activity involving this port is still elevated.  I would expect that as infected mobile users return to corporate networks or university campuses that this activity will spike at perhaps its highest level.  Unmanaged SAV-CE/SCS clients are not vulnerable to the issue in question, but should be updated as well.  Joel discussed the "SAV botnet" in late November as well.

3) If you haven't updated your antivirus signatures for both mail gateways and client systems, or even considered stripping executable content from email, then get to it.  This should have been common practice many years ago.  Yet it does seem like some organizations are not doing so.  I would hope that defense in depth will protect your organization from your click-happy users.  But it would be best to check and make sure that the configurations on your mail exchangers, IDS and antivirus products are rock solid.  There are a number of diary entries in the past week about the recent postcard.exe virus.

Update 1:

4)  InfoSec practitioners understand the importance of time and date accuracy when it comes to forensics.  So while you are updating your computers, take the time to check the time zone settings and accuracy of the clock.  In the United States, there is a Microsoft update for Daylight Saving Time that we discussed in November.  I would expect that other Operating System vendors have similar updates.  I would also encourage the use of a time server and synchronization application like NTP.  There is more information on NTP located at  http://www.ntp.org/ and http://www.eecis.udel.edu/~mills/ntp.html .  (Thanks Blake for the reminder on this.)

5) In many municipalities, various new rules and regulations went into effect.  Some of these may involve taxes or other updates that may need to be addressed in your business or e-commerce applications.  This would be a great thing to discuss with your developers and make sure they are making appropriate changes.


0 Comments