Port 445 provides SMB over TCP.  From Microsoft  "Windows supports file and printer sharing traffic by using the Server Message Block (SMB) protocol directly hosted on TCP. This differs from earlier operating systems, in which SMB traffic requires the NetBIOS over TCP (NBT) protocol to work on a TCP/IP transport."

If not at the top of the list, port 445 is always somewhere in the Top 10 list generated from Dshield data for targets, sources and reports.  Just a quick look at the activity graph shows a huge number of systems that are scanning from and being scanned on 445.  This has become much of the background noise on the Internet.

And it's no wonder.  How many worms and bots can you think of off the top of your head that use 445 to scan or exploit other systems?

If you're reading this diary, then hopefully you know to make sure port 445 is blocked at your firewall.  If, for some reason you didn't know to do this, stop what you're doing and block it now.  I'll wait.  :)

Blocking 445 at the firewall is relatively easy and solves many problems.  The real issue with 445 internal.

445 needs to be open in Windows environments and is a prime conduit for the spread of malware internally.

So what can you do to protect yourself?  If you have a good way to limit internal traffic on port 445 in your network, send us a note or leave a comment and I'll post interesting notes as they come in.

Tracy sent a note mentioning one of my favorite was to mitigate exposure due to 445 being open internally, HIPS.

He writes,

There are several great tools out there that you can use, my preference is a Host based IPS (HIPS).  Depending on the maker of the product you have a wide array of options that you can use to keep the system safe.  Some HIPS programs provide the buffer overflow protection for processes that are standard in MS Windows, they can detect scans of the machine and block all traffic from a host for a period of time.  Adding in the fact that they can also get signature updates and create custom signatures, this product gives you the best LAN protection with maintaining a well balanced CIA pyramid.

Well said.  Thanks Tracy!
   

Christopher Carboni - Handler On Duty

Yesterday we posted a diary about the official release of Microsoft's new Security Essentials product.  Today we got a tip about a Websense blog entry alerting folks that they are already seeing Search Engine Optimization (SEO) poisoning attacks that have resulted in malicious URLs being included in the list of results when people search for "Microsoft Security Essentials".

While there *might* be some other sites that are offering up legitimate copies of the valid installation files, you really should go directly to Microsoft's Security Essentials site to download the installation files to be sure you are getting the expected software.

Microsoft Security Essentials (MSE) hit the streets today (Thanks Kia for the heads up).  So I thought we'd have a quick look at it and let you know how it goes.

MSE replaces the Onecare offering and the free Defender installation standard on Vista installations.  It will provide you with malware detection and removal ONLY.  So do not rely on this as your one stop shop for security.   It does not have the features and functionality that many of the AV vendors provide in their products.  Think of this as the AV as it used to be in 2000 or so. 

There is no central management and updates are taken from windows update services (from the looks of it not from WSUS). 

The install is straight forward.  After downloading it (approx. 8MB), run the installer and follow the yellow brick road.  It does a genuine product check and after installation it will go and update itself.   I had troubles getting it to update when behind a proxy server, but I suspect that was a local issue.  Going direct it updates and applies the latest signatures.  Reportedly there will be 3 updates per day on average. 

Detect rates seem to be quite good.  It seems to have found most of the things on a test malware drive.  I have to check more closely if it missed things and if so why. 

There are plenty of people who don't want to pay for AV, we all have one or more in the family.  This will plug that gap, assuming the Windows version being used is legit.  

Mark H

For all you who use the signatures supplied by Emerging Threats within your IDS deployment, time to pay attention!

Matt Jonkman over at ET, has announced that they will be making some changes to the way their rules are categorised which will result in you needing to change your configuration.

As these changes come into effect on the 2nd October 2009, if you use these signatures its time to plan what you need to do to keep your IDS doing what you think its doing.

For details, Matt has posted a detailed explanation over on the ET site.

October is Cyber Security Awareness Month, and as we have done the past two years we plan to use our handler diaries throughout the month to conduct a deep dive into various security issues.  In 2007 we covered a large range of subjects based on what our readers submitted as ideas.  In 2008 we took a closer look at the six steps of incident handling.  This year we are going to examine 31 different ports/services/protocols/applications and discuss some of the major security issues plus pass along reader comments on tips and tricks for securing it.

We're still working on our list but here are some examples of what we will be discussing on different days in October:

- telnet (port 23)
- SMB over tcp (port 445)
- ssh (port 22)
- Microsoft Terminal Services (port 3389)
- dns (port 53)

We will publish a complete list of what will be covered on each day shortly.

By the way, Cyber Security Awareness Month has expanded beyond the United States.  Since 2007, Canada also recognizes the month of October for cyber security awareness.  If you know of other countries that are recognizing October as Cyber Security Awareness Month, please pass them to us via our contact form and we'll update this diary to get a more complete list.

Canada:  http://www.publicsafety.gc.ca/prg/em/cbr/index-eng.aspx
United States:  http://www.dhs.gov/files/programs/gc_1158611596104.shtm
 

Marcus H. Sachs
Director, SANS Internet Storm Center

We received some good responses regarding Conficker detection recently.  Here are a couple of hints for people that are actively fighting infections on their networks.

First, you can look at your Windows domain controllers security event logs.  Look for high numbers of Failure Events for logon attempts.  This technique can be described in this Sophos KB article: http://www.sophos.com/support/knowledgebase/article/61259.html

Second, you can actively scan your network with nmap.  (Of course, make sure you have explicit authorization from management including dates/times before running any scanning tools.)  I recommend that you upgrade to the latest version (5.00) and give a command similar to the following:

nmap -PN -p139,445 -vv --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args=checkconficker=1,safe=1 -T4 [target_networks] >nmap-conficker-scan-results.txt

Finally, you may also be able to just monitor a few hosts on your network for unsolicited TCP 445 traffic.  I like to do this with tcpdump from a *NIX box that is not employing Samba.  This approach doesn't guarantee that you are seeing Conficker, but you will probably find some source hosts that should be investigated further.

Here is a link to our page of Conficker-related information: http://www.dshield.org/conficker.  It lists additional discovery tools, removal tools, and research.

Update 1: Fellow handler Andre Ludwig points out some additional information about the above information.  First, the nmap detection may only detect one or two variants of Conficker.  The p2p-conficker.nse script states that it detects Conficker.c and higher.  For a script that attempts to identify older versions of Conficker, check out the scs2.py script from here: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker.  That page also have some Snort rules for detecting conficker.a and conficker.b.  Finally, check out the Snort rules at emergingthreats.net for a couple more rules to identify Conficker.c.


-Kyle Haugsness

www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/

A reader called this article to our attention today.  It is purported that Google, Yahoo and an possibly other websites were victims of cyber crooks yesterday.  It appears that somehow the crooks managed to sneak malware into the syndication services. According to the article in The Register:

"End users visiting sites that used the ad syndication services often saw nothing more than a brief flash as the malware-laced ads caused their browsers to open - and then close - a booby-trapped PDF file. But behind the scenes, the payload installed Win32/Alureon, a trojan that drops a backdoor on infected machines".

Looks like once again simply surfing the net can be deadly to your computer.  Just another example of why Anti Virus, IDS and other protective measures are so important to every one.

Deb Hale Long Lines, LLC

It appears that Conficker is still alive and well. 

www.abc.net.au/news/stories/2009/09/23/2694401.htm

I heard about a local company today who on Monday of this week started having some pretty strange goings on in their network and called in their consultants to try to figure out what was happening.  It turns out after much time spent trying to determine what was going, it was "just another Conficker Outbreak".   (Still working on it as a matter of fact). They do have anti virus however the infection went undetected for quite some time.  Why?  Because Conficker did what Conficker does and it over rode the security software and antivirus software to allow them to do their dastardly deeds while remaining undetected.  This company has close to 100 computers and more than 50% of them have been infected, some for a while it seems.  Conficker has continued to grow its little Botnet and the BotHerder is still spreading their damage.  If you look at the "pictorial" representation of the spread in the US alone from January to July it is pretty amazing.  

www.f-secure.com/weblog/archives/00001646.html

We also received an email today from a reader whose company was experiencing Conficker activity.  So perhaps there is a new wave of the bad guy coming.  So just a reminder - quick check -

www.confickerworkinggroup.org/infection_test/cfeyechart.html

If this Eye Chart doesn't display the logo's for 6 of the top security sites in the world, you may be infected and will be the next to fall to the plight of the Conficker Worm.

Deb Hale Long Lines, LLC

When examining malicious software, the analyst looks for several categories of traits that malware often possess. Keeping these categories in mind during the reverse-engineering process helps avoid gaps in coverage, leading to a comprehensive report about the specimen's characteristics:

• Propagation: How does the specimen spread? Malware may spread using networks and mobile media. It may exploit vulnerabilities in server or client-side software. It may have an element of social engineering, and may be loaded by the intruder manually. Propagation may be autonomous (as is the case with many worms) and may require user involvement (such as launching an email attachment).
• Infection: How does the specimen embed itself in the system? Malware may run once, or may maintain remain on the system via auto-run features. Run-once specimens may store themselves solely in memory. Malware may be packed, or may assembly itself dynamically by downloading additional components. Malware may attach itself to benign programs, or may function as a standalone process. Specimens also differ in the degree to which they resist disinfection attempts.
• Stealth: How does the specimen conceal its presence? Malware may attempt to avoid signature-based detection by changing itself. It may time its actions to take place during busy time periods or to occur slowly, so that they don't stand out. It may embed itself within existing processes or network streams, modify OS functionality, and take other creative measures to decrease the chances that its presence will be discovered.
• Capabilities: What "business purpose" does the specimen serve? Malicious software may be designed to collect data, perhaps by sniffing the network, recording keystrokes and screenshots, and locating sensitive files. Malware may also be programmed to wreck havoc on the system, perhaps by deleting or corrupting data, or to act as a pivoting point for attacking other systems. It may also provide the attacker with remote access to the system via a backdoor.

There are several additional categories of traits to consider. These may be considered a subset of the "capabilities" category. However, because modern malware often exhibits these characteristics, it makes sense to call them out separately:

• Exfiltration: How, if at all, does the specimen transmit data out of the affected environment? Malicious software may send captured data over the network using clear-text and encrypted channels, and may rely on ICMP, HTTP, SMTP, and many other standard and custom protocols. Malware may also store data locally, waiting for the attacker manually copy it off the infected system.
• Command and Control: How, if at all, does the specimen receive updates and instructions? Malicious software may receive commands from the attacker by opening a local network port or by making outbound connections to the attacker's system using protocols such as DNS, HTTP, SMTP, or other client-server and peer-to-peer protocols. Malicious executables often have the ability to upgrade themselves according to a predefined schedule or via the attacker’s request.

Are any common malware characteristics missing from the groupings above? If so, please let us know.

Liked this? Post it to Twitter!

-- Lenny

Lenny Zeltser - Security Consulting

Lenny teaches malware analysis at SANS. You're welcome to follow him on Twitter. You can also track new Internet Storm Center diaries by following ISC on Twitter.

In my continuing quest to find and check out new and interesting tools, I've recently noticed two of my favorites have recently been updated.  gpgdir is now at v1.9.5 and fwknop (for you single packet authorization fans) is now at v1.9.12.  Many thanx to our friend, Michael Rash for these tools.

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

 CISCO has released a number of security advisories.   The following table summarises the information.  for more details check out the full advisory on the CISCO site. 

 *Issues are VoIP related so may not apply to you 
** Possible the more urgent one as a specific packet sent to the device will cause it to reload.  

For more information on the CVSS score see http://nvd.nist.gov/cvss.cfm?vectorinfo make sure you apply your site specific modifiers to get a score relevant to your organisation.

As always, test, test again and have a backout plan before applying updates.

Mark H 

I have a problem, no a challenge, for you all.  How do you store passwords that have to be shared between team members. 

I'm confident in saying that every IT environment has this problem.  You have passwords for service accounts, printers, switches, routers, firewalls, admin passwords for products, build passwords when building servers or desktops, etc, etc, etc.  Many of these can only be accessed through limited userid and can't be hooked into a radius Many of these don't need to be used often, but they do need to be recorded and in a typical IT environment there are likely to be a number of people that need these.  So how do you share them in a sane manner?

Some of the examples I've come across include the traditional word document or spreadsheet, sometimes it even has a password.  Other examples are databases, Lotus Notes, MS Access, Sharepoint pages, wiki pages, post-it notes, commercial tools, some are better solutions than others.  So I'd like to know what you do when faced with this issue?  Send some in and we'll share your experiences in an update.

UPDATE

Thank you all for contributing, the response has been excellent.  Most of the methods used have been reflected in the comments.  

Mike has one for the *nix users out there.   

"My preferred method is an encrypted file (using vi -C) read/write only by root on a system like a nis master, where you have to log in as you then using either pfexec or sudo to access the file.

This satisfies the theory that you need to have a user account on the correct system, the correct privs and know just one more password - this is reasonably straightforward.
One additional safeguard is using a version control system like the builtin (on Solaris) sccs to keep a good record."

Joost uses Keepass like many in the comments.  

"On a share only accessible by IT we have 2 keepass (http://keepass.info/) databases. Both are protected by a password and a keyfile (on a usb stick).

database 1 is for all passwords that are for the helpdesk, network- and systemadmins.
database 2 is only for network- and systemadmins."

Several people wrote in regarding the eDMZ product. 

Bryan mentions their own application:

"we used to have a commercial app, then we started having problems. So we built our own internal PHP-MySQL webapp. It is only accessible via HTTPS, and the database uses MySQL's built in AES encryption to store the password data encrypted. Users must enter a username, password, and encryption key to login. This does make the encryption key short, but it is never stored in the application itself.

It is a stand-alone webapp at the moment, but we are planning on having it connect to AD for authentication, and writing in permissions to limit user/group access to passwords."

A few readers also use the good old piece of paper and safe method, after all you don't really need to use these shared accounts often, if at all.  

Thank you all for your excellent contributions.   

Mark

SRI recently updated their Conficker C analysis with another addendum, this one covers Conficker C's P2P protocol and implementation.  Here's the abstract of the new addendum:

This report presents a reverse engineering of the obfuscated binary code image of the Conficker C peer-to-peer (P2P) service, captured on 5 March 2009 (UTC). The P2P service implements the functions necessary to bootstrap an infected host into the Conficker P2P network through scan-based peer discovery, and allows peers to share and spawn new binary logic directly into the currently running Conficker C process. Conficker's P2P logic and implementation are dissected and presented in source code form. The report documents its thread architecture, presents the P2P message structure and exchange protocol, and describes the major functional elements of this module.

As always, this is a GREAT report from the Malware Threat Center at SRI. 

Marcus H. Sachs
Director, SANS Internet Storm Center

If you ever dealt with insider threats, you would understand the complexity and sensitivity of these issues. The best resource on this topic is at the CERT website. They have been researching insider threat for over 8 years and have released a multitude of studies as well as best practices based on several hundred actual insider cases. Lots of good information that can help you while dealing with insider threat.

For visitors under the Visa Waiver program going to US, there's a requirement to apply ESTA before traveling. Details about this program here. It is suppose to be a free process according to cbp.gov.

A reader by the name of AK wrote in and advise us that some possible scam sites are on the Internet charging a fee for people to apply to the ESTA program. No words on whether the applicants actually get the ESTA with the scam sites or if the information are stolen for other purposes.

The real website for ESTA application is  https://esta.cbp.dhs.gov/esta/esta.html   Be aware of the fake sites.

------------------------------
Jason Lam, http://twitter.com/jasonlam_sec

Several readers wrote in to let us know of some reports in the media today concerning access to Facebook.  We at the SANS ISC are not currently aware of any issues, and the Facebook blog does not make mention of any access issues impacting their site.

G.N. White

Handler On Duty

As pointed out by several folks writing in to the ISC Handlers group, Microsoft has updated its Security Advisory 975497 - Vulnerabilities in SMB Could Allow Remote Code Execution - to include a "Fix it" workaround that makes it rather easy to disable SMBv2.

The "Fix it" links can be found in two locations:

- Microsoft Knowledge Base Article 975497

(and my personal favorite)

- The Microsoft Security Research & Defense Blog

G.N. White

ISC Handler On Duty (Maybe they should call it "One Click")

Let’s face it, some days are just more exciting than others. (We can always count on patch Tuesdays).  While studying the newest vulnerabilities is interesting, there is nothing quite like the rush of “incident handling” adrenaline.  Okay, so right now, there is an interesting new Zeus Bot email scam and more clickjacking attacks.  It seems like a never ending hamster wheel, we can never quite catch up!  Just as we are finally getting our operating systems, applications and peripheral devices locked down, it pays to remember that the mitigation of threat with regard to employees will always be a risk. 

This economy is putting your network in jeopardy in more than ways than just your declining security budget.  Employees may be finding new ways to hijack your proprietary software, marketing plans or customer lists.  Of course you have policies that control office cyber behavior, but there will always be those few special employees who will figure out how to make their browser a notepad to hijack your customer PII.  Budget time can leave us drained, so remember that the human factor is still our greatest deficit.  People starving will steal to eat, and people trying to pay their mortgages may become extremely creative in their methods used to obtain intellectual property or credit card numbers.  At upwards from $2 a pop, just one account database can add up quickly. As we approach Security Awareness Month in October, take a few minutes to get determined not to be sidetracked focusing our security efforts.  Use this opportunity to remind employees not only what steps they can take to be safe online, but also of the fact that you are still monitoring their usage and should have no expectations of privacy while on the organization’s network.  Pull together your inexpensive insurance policy this week.  

Mari Nichols

Handler on Duty

Once again Mark Russinovitch and company have made updates to some of the SysInternals tools.  There are new versions of Process Monitor (v2.7),  procdump (v1.5), VMMap (v2.4), and Autoruns (v9.54).

For those of you who are not familiar with Sysinternals tools...Sysinternals tools allow you to access the guts of windows using easy to use tools.   They are indispensible for malware behavioural analysis and should be in the toolbox of anyone who is needs to troubleshoot Windows issues.

Process Monitor permits monitoring of  file system, registry and process activity in real-time.

Procdump monitors for CPU spikes and hung windows and creates a crash dump which can be used to debug the spike.

VMMap permits analysis of virtual and physical memory requirements of processes.

Autoruns can be used to analyze or debug program startup during boot or login.

Also as of today Filemon and Regmon have been officially retired and removed from the Sysinternals site.  The functionality of those two tools has long ago been rolled into Process Monitor, but those of us who have used Sysinternals tools for a long time will still be nostalgic to see them go.  For many of us Filemon and Regmon were the first Sysinternals tools we used and they opened our eyes to the inner workings of Windows.

-- Rick Wanner - rwanner at isc dot sans dot org

[Cross posting with App Sec Streetfighter blog]

The SANS ISC Webhoneypot project was started over a year ago and the client had been in public beta since June. We have been collecting data from honeypots since January. The goal of the project is to collect quantitative data about the prevalence of large scale automated attacks.

We are now ready to share some collected data with the community. Our intention is to share the data and findings with the community in the same manner as the original DShield project.

The high level stats of the Webhoneypot can be found at
http://isc.sans.org/weblogs/

Various reports can be found at
http://isc.sans.org/weblogs/reports.html

A limited search interface can be found at
http://isc.sans.org/weblogs/filter.html

These report pages and especially the search interface is in beta currently. We intend to refine these as the project matures. We appreciate any feedback on these reports and search capabilities.

Feel free to analyze the data as you wish, if you spot anything interesting, please write to us. Thanks and happy log reading.
 

A new version of popular open source IDS has been released. There are some cool new features of which I like the ability to specify multiple configurations bound by different VLANs or IP addresses.

More information is available at VRT's blog http://vrt-sourcefire.blogspot.com/2009/09/snort-285-release.html and you can download it from http://www.snort.org/downloads

--
Bojan

Rogue AV programs have become increasingly common in last two years. We at the SANS Internet Storm Center get messages from our readers about new rogue AV sites daily.

It is obvious that the bad guys are making (serious?) money with this scamming scheme. There are couple of things interesting about rogue AV programs. First, the bad guys here do not use (in most cases) any sophisticated attacks on clients. They instead rely on visitors to wittingly install their "AV program". How do they do this? Through social engineering – they create web pages which are very authentic copy of legitimate screens in Windows operating systems. These web pages make visitors believe that their machine is infected with several malicious programs and that the offered "AV program" can help them clean it.

Once the rogue AV program is installed, the victim has to pay money to get it "working" or, in some cases to even uninstall it. So, the money making scheme is simple (some rogue AV versions even steal local data and install keyloggers).
In order to get people to visit their web sites serving rogue AV programs, the attackers use different vectors – they even follow news as only couple of hours after Patrick Swayze's death search engines were filled with bogus pages pointing to rogue AV programs.

The main reason, however, why rogue AV is so successful is its persistence and amount of details - the web page they use to scare the visitor looks almost exactly like Windows' Security Center. One such page is shown below:



I was, of course, interested to see what else they do so I decided to analyze the code behind. First of all, I must say that the code is very elegant and clean, it's obvious that the bad guys got a real programmer to code the page (and malware?) for them.

The web page uses JQuery, a well known and popular JavaScript library. After setting up the environment, the JavaScript code on the web page shows a fake scan of the machine with seemingly random file names. The file names are actually grabbed from a huge array contained in a separate file (flist.js). The file names in this array (there is 1100 of them) are actually copied from a Windows XP machine (C:WindowsSystem32 directory). This, of course, increases the authenticity of the scan.

After the scan finishes, the user is informed that the machine is infected with viruses. The JavaScript code on the web page initially set up some handlers, so no matter what the user does next he will see a window notifying him that his machine is infected (interesting, the attackers used JavaScript confirm() method to display this message).



Of course, this wasn't generated by Windows – it's actually just an image the attackers created. The "Remove all" and "Cancel" also aren't real buttons, just part of the image which has a handler that will get executed wherever the user clicks. You guess, on a click it will try to download the Rogue AV program. To eliminate any confusion, they also show this nice window where they explain what exactly needs to be done in order to install their rogue AV program.



It is now not strange that rogue AV programs are infecting so many machines. The devil is in the details, and the attackers made damn sure that all details are here to fool the potential victims.

--
Bojan
 

Last week Guy posted a diary (http://isc.sans.org/diary.html?storyid=7093) about a 0-day vulnerability in SMB2 on Windows Vista and Server 2008 operating systems. Back then the exploit only crashed affected systems.

This is already bad enough; however, it just got worse. Yesterday a well known security company added a module for their exploitation product. The module contains the remote exploit for this vulnerability – in other words, any user running this tool can get full access to affected machines.

If the exploit is stable enough, it can _very easily_ be used in a worm, so it can potentially be devastating.
So, if you are running a Windows Vista or Server 2008 machine (Windows 7 RTM is not affected, RC *is*), be sure you apply one of workarounds listed by Microsoft (they are not perfect, but they can help), available here:

• Run a host based firewall which will block access to ports 139 and 445. Please note that the builtin firewall in Windows Vista will automatically block this traffic if your location is set to Public. In other words, if you connect to a wireless network at Starbucks and set this you will be fine, but if you are inside your organization you are probably vulnerable, unless your administrators went one step further and used group policies to properly configure your firewall.
• Disable SMB2. This has some performance impacts, but it's nothing one can't live without until the patch is out. However, it requires modifying the registry.

We will keep an eye on the development and will update the diary as necessary.

--
Bojan

A new IETF draft document focused on how ISP's may detect botnet infections by their subscribers, how to notify customers, and end-user recommendations to remediate the infection, has been published today:

• "Recommendations for the Remediation of Bots in ISP Networks"
• http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03

The document sets the current state-of-the-art, best practices for botnet detection, threat communications between parties, and specially notifications to Internet users via multiple methods: mail, phone, web portals, IM, SMS, etc.

The authors are looking for feedback from the community, so if you belong to an ISP or are interested in the topic, contact Nirmal Mody (one of the authors) by e-mail. The contact details are at the end of the IETF draft document.

--
Raul Siles
www.raulsiles.com

Are you applying consistent security controls to all the input vectors of your Web Applications? Attackers are finding these inconsistencies and flaws... and exploiting them!

Robert (Thanks!) sent us a link to a blog post by Ryan Barnett (WASC & OWASP), "Distributed Brute Force Attacks Against Yahoo" . It is an awesome educational example of how important it is to apply consistent security controls to all the input vectors of your Web Applications, and specially, when new functionality is added. Are you applying the same controls to the access through your standard web page, and the access through your brand new Web Services API? The best way of setting up this is through a common security library that implements all your security controls and it is invoked from all the web entry points. If your development team doesn't know how to start implementing this, a good community reference is the OWASP Enterprise Security API (ESAPI) library.

In this incident, the problem lies in the lack of strict controls in the authentication mechanism to Yahoo's infrastructure when the access is performed through the Web Services API. They failed to implement security 101 on the Web Services input, as not only the CAPTCHA control to avoid brute forcing is not available, but the error messages disclose what portion of the credentials is wrong, username or password :( Attackers found it.

Another good example I like to use when teaching Web-App security and pen-testing is the inconsistent XSS filtering MySpace established when their mobile functionality was added back in early 2008. Let's learn from the big web players and avoid the same mistakes in our web environments!

Consistency and thoroughness are key elements to keep the security level of your complex web infrastructure in shape!

--
Raul Siles
www.raulsiles.com

Shameless plug: I will be teaching the "Web App Penetration Testing and Ethical Hacking" (SEC542) class in London at the end of November, 2009. Hope to see some of our ISC readers there!

The Wireshark team has released a new version of the famous graphical traffic sniffer and protocol analyzer, 1.2.2 (and 1.0.9 for those still running the old stable branch), due to multiple security vulnerabilities affecting the GSM, OpcUa, and TLS dissectors (the latter is specially relevant), plus fixes for other memory leaks. An attacker might force Wireshark to crash remotely during live captures or by convincing someone to read a malformed packet trace file.

More information in the official advisory page and release notes. Time to update Wireshark! If for any reason you cannot update, please, disable these three dissectors following the steps in the advisory.

--
Raul Siles
www.raulsiles.com

SANS today released a new Cyber Security Risks report. The report used data from Tippingpoint, Qualys, the Internet Storm Center and input from SANS faculty like Ed Skoudis and Rob Lee.

Some of the key findings include that operating systems are for the large part less and less of a problem. There are few attacks against the operating system itself, and patching has become pretty robust when it comes to the operating system and its core components. However, third party applications (think Adobe, Java, Quicktime) are a big problem, and they are usually not well covered by existing controls.

On the server side, web applications are of course the big entry point for an attacker. In particular the combination of vulnerable web applications and vulnerable client software is frequently used to inject a client exploit into a web application in order to pivot and attack inside the attacked network.

The report includes case studies of actual attacks to underline these points.

For details, see http://www.sans.org/top-cyber-security-risks

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Microsoft has delivered on their promise to backport the improved autoplay behavior in Win7 to older versions of Windows. This is definitely a good thing and I for one am going to be implementing this on every system I have any sort of control over. I'd encourage y'all to do the same.

http://support.microsoft.com/kb/971029

An interesting paper was published this last week discussing ways of determining the physical system your VM is residing on and influencing that placement. This creates interesting potential for data leakage and discovery of information about the systems that are co-resident on the same hardware.

Yes, I know this is a small step and I'm not arguing that this alone shows that you should never use cloud computing again. However, I would argue that this is exactly the kind of attack that you need to be concerned about as more and more systems are virtualized and put into a cloud. In addition, since most people are used to not thinking about these sorts of attacks, there is a high likelihood that this will be a blind spot in the development of virtualization technology and cloud infrastructure.

The actual paper: http://cseweb.ucsd.edu/~hovav/dist/cloudsec.pdf

A nice summary article about it: http://www.computerworld.com/s/article/9137507/Researchers_find_a_new_way_to_attack_the_cloud

Microsoft had their monthly patch day this past Tuesday.  Mozilla released new versions of Firefox.  Oracle and Adobe pushed theirs back a week, so look for them next week.  Cisco released their update to coincide with Microsoft's.  Well, not to be left out, Apple also released a number of updates this week.  Some of these look like they could be rather serious, so if you are using any of the affected software, you should probably update ASAP.

• iPhone OS 3.1 and iPhone OS 3.1.1 for iPod Touch - covers CVE-2009-2206, CVE-2009-2794, CVE-2009-2207, CVE-2009-2795, CVE-2009-2815, CVE-2009-2796, CVE-2009-2797, CVE-2009-1725, CVE-2009-1724, and CVE-2009-2199
• QuickTime 7.6.4 -  covers CVE-2009-2202, CVE-2009-2203, CVE-2009-2798, and CVE-2009-2799
• Mac OS X v10.6.1 - which fixes the downgrade of the Adobe Flash player that occurred when upgrading to 10.6
• Security Update 2009-005 - this update applies to the 10.4 and 10.5 branches of OS X (including PowerPC versions) and fixes issues with Alias Manager, CarbonCore, ClamAV, ColorSync, CoreGraphics, CUPS, Flash Player plug-in, ImageIO, Launch Services, MySQL, PHP, SMB, and the Wiki Server.

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

This past week version 2.2 of one of our favorite free HIDS products, OSSEC, was released.  If you run WordPress, the WordPress logging plugin alone is reason enough to give the new version a look. 

References:
http://www.ossec.net/main/ossec-v22-released
http://www.ossec.net/wpsyslog2
http://www.ossec.net/main/downloads

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

Thanks to all those who have sent in overnight submissions to alert us to the release of Firefox 3.5.3 and 3.0.14

There are 3 critical security fixes in the 3.5.3 advisory. Mozilla have the details of the fixes contained in their security advisory located here.

There are 3 critical and 1 moderate security fixes in the 3.0.14 advisory. Mozilla have the details of the fixes contained in their security advisory located here.

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Shorty after President Obama finished his speech about healthcare earlier tonight, our reader Roy received an email advising him to sign up for a "Low Income Healthcare Enrollment". If you see something similar, let us know. The possibilities for phishing, malware and other scams are endless with current events like this.

As usual, you will not receive an e-mail from a government agency asking you to divulge your private information on a random website.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

The group anonymous, who were reported to be responsible for the attack on scientology sites now have the Australian Government in their sights.  In 2008 the Australian Government decided that the internet should be filtered.  They are running trials with a number of ISPs.  There is within Australia a fair amount of resistance to this practice for a number of reasons.  You can read the government position here (http://www.dbcde.gov.au/online_safety_and_security/cybersafety_plan/internet_service_provider_isp_filtering).   This Wikipedia article has more information on the issue as well (http://en.wikipedia.org/wiki/Internet_censorship_in_Australia)

In addition to opposition to this scheme within Australia it looks like the group anonymous has also become involved.  A web site 09-09-2009.org was set up and it looks like activities are coordinated through another web site.  The crux of their demands is for the senator responsible for the filtering scheme to resign and the plans for filtering to be abandoned, or else. 

The or else is a DDOS attack on Australian government sites starting at 9.00 am GMT which is 7.00PM on the east coast.  Fax machines and phone lines may also be targeted.  Some "interesting" activity has been observed on some of the networks, but whether this is related or not is uncertain at this stage. 

In preparation, make sure you have your incident handling processes ready, make sure that servers and other perimeter devices are patched so they are better able to resist attack.  You may want to have your ISP's contact details handy just in case you need them to stem the flow of traffic.  If your infrastructure is outsourced, maybe ask the outsourcer what plans they have in place, should anything happen.   But most importantly decide if switching off the site in the face of an attack is an option for you.

Mark H

Sun released 17 bug fixes for JDK 5 Update 21. There are no new security vulnerabilities fixes part of this update. Support has also been added for Windows Vista SP2 and Windows Server 2008 SP2. The bulletin is available here.

Sun released a bug fixe for Java SE 6 Update 16. There are no new security vulnerabilities fixes part of this update. Users who have Java SE 6 Update 15 have the latest security fixes and do not need to upgrade to this release to be current on security fixes. The bulletin is available here.
 

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

ISC reader Kurt reported that Cisco has released an advisory affecting TCP State Manipulation which cause a Denial of Service that affect multiple Cisco Products. If an attacker send TCP connections forced into long-lived or indefinite state by preventing new TCP connections from being accepted, it could possibly cause a DoS indefinitely.

Additional information on the Cisco advisory is available here.

The following products are affected:

• Cisco IOS-XE Software
• Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected if they are configure with specific features
• The version of Cisco NX-OS Software that is running on Cisco Nexus 5000 and 7000 series devices
• Scientific Atlanta customers are instructed to contact Scientific Atlanta's Technical Support for questions regarding the impact, mitigation and remediation of the vulnerabilities
• Customers with Linksys products should contact Linksys security for questions regarding the impact, mitigation and remediation of the vulnerabilities

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

UPDATE

In addition to the Cisco advisory there is some additional information and response to the issue from other vendors here ==> https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html  - M

Overview of the September 2009 Microsoft patches and their status.

Update 1: All KB and CVE links have been updated

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

We wrote about the new IIS FTP service vulnerabilities when the exploit code became public in diary 7039 and when Microsoft published their advisory some time afterwards in diary 7063. Not surprisingly Microsoft have revised their security advisory letting us know that there have been reports of incidents where this exploit was used to compromise systems. This might seem counter intuitive as the exploit code was public prior to the advisory coming out. It is more likely that there were few reports, however the exploit was being actively used. There are not all that many IIS servers running FTP on the Internet, in fact there are fewer public FTP servers than in the past. Where this exploit may have been used is attacking internal FTP servers. 

Microsoft have also reminded admins that version 7.5 of their FTP service is available for download (although only for Windows Server 2008), and is not vulnerable to these attacks. Hopefully a patch will be out shortly.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

We have received a report from Tyler that a vulnerability affecting Microsoft SMB2 can be remotely crashed with proof-of-concept code that has been published yesterday and a Metasploit module is out.

We have confirmed  it affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall.

Windows 2000/XP are NOT affected by this exploit.

We will update this diary with more information as we get it.

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

I have been looking at a packet trace sent in by a reader, and have reached a dead end. He has been receiving the packets on his network for better than a month.  The volume is not high enough to be a DOS.  The sources are all over the world, although mostly high-speed customers. I was hoping one of you may have seen these packets before...

The packets are all UDP. The source ports vary, but the destination port in this case is always 49261.  The data portion of the packets is either 35 or 31 bytes.  Although the data changes from source address to source address, for any given source the source port and the data is always the same.

There does not appear to be any return traffic.

The data portion of a typical 35 byte packet will look similar to the following (colon delimited):

 8d:da:d1:17:5d:5c:68:96:cb:45:e7:a7:03:dc:9b:00:00:01:00:0c:00:00:00:c3:02:49:50:40:83:53:43:50:41:02:00

The final portion 49:50:40:83:53:43:50:41:02:00 is identical for every 35 byte data packet.

The data portion of a typical 31 byte packet will look similar to the following:

70:d4:30:05:70:5b:42:43:3a:7b:07:51:ce:f7:49:00:00:01:00:08:00:00:00:c3:83:53:43:50:41:02:00

The final portion 43:50:41:02:00 is identical for every 31 byte data packet.

Anybody seen these before?  Can anybody shed light on what they might be?

UPDATE: 

I have a couple of Universities who contacted me indicating that this is related to Limewire.  One sent me packets that were very similar to the ones I received originally.

There also appears to be a Emerging Threats signature to detect this traffic.

Thanks for the help!

-- Rick Wanner - rwanner at isc dot sans dot org

The 4 day outage at seclists.org/insecure.org/nmap.org (that Marc wrote about here) seems to be over.  Apparently, they had a hard disk failure and have finally recovered.  @nmap said "Yay, we're back online! Just in time for a lazy Labor Day afternoon of BBQ and port scanning." about 3 hours ago on twitter.

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

SEC508 in Columbus starting 10 Sep: http://www.sans.org/mentor/details.php?nid=19458

One of our loyal readers, Jon, sent an e-mail this morning that he was seeing some unusual traffic.  In particular, he was seeing IP protocol 46 (RSVP) packets that were getting dropped by his external router sourced from 2 different IPs (which I may share later).  I've never seen RSVP traffic myself and Jon had never seen any either.  At this point, we don't know if this is some sort of reconnaissance or malformed/corrupted packets, but I figured we should see if anyone else is seeing this odd traffic and, if so, if you could grab some packets and send them to us (via the contact form).  As always, your assistance is greatly appreciated.

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

SEC508 in Columbus starting 10 Sep: http://www.sans.org/mentor/details.php?nid=19458

One of the challenges that any security professional is sure to face revolves around encryption and getting support/funding to put a solution into place.  Not only is cost an issue, but there is the people factor to consider and their resistance to change.   For the most part, people understand that the encrypting of laptop hard drives is a necessity.  However, that only came about due to the mass amounts of laptop thefts and the publicity surrounding the data that was being stolen on those laptops.  Even still, laptop encryption is not being done as it should be by many organizations.

Even after all the publicity on laptop thefts, we sadly still see data being copied onto thumb drives, burned on to CDs/DVDs, copied onto external hard drives, etc. without being encrypted.  Media of this type, with unencrypted data, is then carried all over the world by people.  If it's not hand carried, its dropped in the mail and sent out.  Organizations that encrypt their laptops, will provide removable media without any encryption.

If you thought getting support for encrypting data on media mentioned above was tough, what about encrypting data at rest?  That is the next logical step.  The attacks have changed and building a defense in depth posture that can stop/detect many of the new threats is getting more difficult.  Even the government recognizes this in the the move to Controlled Unclassified Information (CUI). 

If you don't think encryption matters or you just haven't gotten around to implementing it yet, then look at the 2009 statistics found at http://datalossdb.org/yearly_reports/dataloss-2009.pdf and keep in mind these are only tracking PII related thefts.  Thefts/losses of other data types and categories are not being reported here.

Total Incidents: 316
Total Records Affected: 138,494,148

The impact of the majority of these losses could have been mitigated if encryption would have been implemented.  There is no magic bullet for how much encryption is enough.  It all about the data and how much it's worth to you. 

 "Critical infrastructure is a term used by governments to describe assets that are essential for the functioning of a society and economy"  [http://en.wikipedia.org/wiki/Critical_infrastructure] 

In Australia both Thursday and Friday morning there was a widespread outage (more here and here) of about an hour with Telstra, which is one of the big telecommunications providers in Australia.    On Thursday it seemed that there was no international connection with Telstra at all and on Friday it seemed that root DNS servers were not available from the Telstra network.  Sites whose addresses were cached were accessible, those that required resolution were not (at least on the networks I was connected to).   

Many of you will probably read this and think, so what, it just one ISP.  But the situation is a little bit different here (and I don't mean upside down).  In Australia up until 1997 there was only one telecommunications provider, Telstra (under different names).  The company built all the infrastructure and to this day still owns and maintains a very large portion of the networks.  Pretty much every ISP and other Telecommunications company has varying degrees of dependency on Telstra.  

The end result is that the outage last Thursday and Friday morning was not limited to one ISP, but affected many ISPs who depend on the Telstra infrastructure or who resell Telstra services.   So when looking at critical infrastructure, whether just your organisation's or country, it may not always be obvious how services are provided and there may be dependencies that can affect you of which you were not aware.  When looking at critical infrastructure you have to start thinking outside the box and look at all the elements that make up a specific service and not limit yourself to only your organisation, but also examine the external influences on the infrastructure your company or country depends on. 

Mark H - Shearwater

SANS Critical Infrastructure Protection Course with Marc Sachs September 10-11 Canberra.  

If you are coming to San Diego in a few days for SANS Network Security 2009, be sure to check out the SANS @Night classes.  We've got several, including one that I am doing on Thursday night for parents of "Internet Kids."  That talk is open to the general public, not just students registered for the main conference.  You'll need to sign up for these classes in advance.  Details are on the conference web site.

Several of the handlers will be at NS2009 so be sure to look us up and say hello.  Hope to see you there!

Marcus H. Sachs
Director, SANS Internet Storm Center

SeaMonkey is an 'all-in-one' Internet suite for users. SeaMonkey 1.0 will no longer be updated, download the new version SeaMonkey 1.1.18, which has a number of security fixes. The advisory is here: http://www.seamonkey-project.org/news#2009-09-03 with release notes: http://www.seamonkey-project.org/releases/seamonkey1.1.18/

Download link is here: http://www.seamonkey-project.org/releases/#1.1.18

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Helpfully Snow Leopard downgrades it for you. If you had upgraded to Flash version 10.0.32.18 prior to installing the new OS, you ended up with Flash version 10.0.23.1 afterwards. Leaving you vulnerable.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Matt wrote in with the following:

"It might be a good idea to make end users aware that the fake-antivirus scan / trojan / ransomware people have raised the bar.  I'm planning to put together a small educational email to send to my end users.

I had a difficult malware extraction today.  One of our users ended up with Windows Police Pro (WPP) malware installed on her machine. I was really surprised at how tough this program was to clear, and ended up re-loading the machine via Ghost image.

In the past two days, I've heard of two reports of users getting infected, had to handle one myself, and got an email after work from a tech at a remote site.  It appears the fake-antivirus scammers have improved their game a lot. The initial 'lure' on the web has been polished quite a bit to get users to accept the program.

The issues that made Windows Police Pro especially hard to remove were:

1. The main program will not close, and will respawn if killed through Task Manager.
2. The program puts up fake Windows Security pop-ups that are very good copies of the original.
3. It contains a fake of the Windows Security control panel that is a very accurate reproduction.
4. It re-assigns actions for .exe files to its own command interpreter, desote.exe.  This program does not run any .exe chosen, just pops up an error window claiming the desired file is infected.  This action makes it impossible to install MalwareBytes or CCleaner, or even run just about anything else from within the infected session.

I tried to change the .exe assignment in the Registry, but ultimately just deleted the main WPP program files and desote.exe file (Windows Search would still work), which meant the machine came up with the 'I don't know what program to use to open this file' dialog when I clicked on the installer package.  I was able to manually find and run cmd.exe from the /Windows/System32 directory, and get CCleaner to install, but it did not fix the broken registry keys to re-stabilize the system.  At this point I just gave up pursuit, copied the user's files to USB drive, and reloaded from Ghost.

The only element of this that I thought was groundbreaking was the .exe hijack.  Otherwise it's just an impressive polishing job on a tired scam.

Users with only Windows knowledge, or otherwise without an alternate OS to use to cure this, will be at a big disadvantage."

Thanks Matt! Couldn't agree more.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Microsoft has published an advisory on multiple vulnerabilities in the Microsoft FTP services bundled with IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0. At this time arbitrary remote code execution only works against IIS 5.0 running on Windows 2000 fully patched. On more recent versions a DoS condition occurs. If you are still running an Internet accessible FTP service you may want to take this opportunity to rethink running it under IIS. For internal instances I might monitor them very closely. One mitigation is to NOT allow anonymous connections (as indicated in the POC circulating on the Internet). Unless the attacker is able to obtain a valid username for the system and modify the exploit... and then DoS can still occur, but complete compromise of the system will not. The DoS takes out all inetinfo processes, including www. There is currently no patch available for these vulnerabilities. The exploit code is available. Take the appropriate precautions.

If you must allow FTP, disable anonymous access. If you must allow anonymous access, modify the NTFS permissions to disable write access. If you must allow write access, disable creation of directories. You will still be vulnerable to the DoS in any case.

The following CVEs are assigned:

The advisory is here: http://www.microsoft.com/technet/security/advisory/975191.mspx

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

We had an interesting submission from one of our readers today.  He thinks there might be a problem with RealVNC.  Here are the comments he sent us:

I'm a professional computer tech for a living, although I don't specialize in security.  A few minutes ago I was shutting my PC down to go to a job when I noticed the VNC icon in my system tray was black, indicating a connection.  I was immediately suspicious and powered the machine back on but unplugged the network cable until I could firewall the VNC service.  I have a home broadband connection and the router is opened up to allow incoming remote access on port 5900.  I have often noted the many failed attempts to connect to my VNC service in the windows logs; however, this was different.  According to my event log, the service had been connected about for 15 minutes before I noticed it.  Here are the technical details:

RealVNC version: 4.1.3
IP address: 121.32.14.72 (somewhere in China, apparently)
password: 12 characters, alphanumeric

In the logs there were no prior or repeated connection attempts from this or similar IP addresses, as if a brute force attack was happening.  Even at that a 12-character password should be relatively strong.  To me this looks like an authentication bypass vulnerability reminiscent of the 2006 vulnerability; I hope I'm wrong.  You may want to encourage everyone to be on the lookout for suspicious VNC connections.  For now my VNC is remaining firewalled.

For those who use RealVNC would you check your event logs to see if there is anything similar that you did not authorize?  Use the "comment" section below to post your brief thoughts or if you have a lot of information to submit use our contact form.

Marcus H. Sachs
Director, SANS Internet Storm Center

It appears that seclists.org is offline.  That impacts some security mailing lists like Full Disclosure, nmap-dev, and portions of the Insecure.org site.  We don't know why the site is down, but it appears that all of the message archives are missing too.  More details will follow as we receive them.  If you have any first-hand knowledge about why the site is down please let us know via our contact form.

Marcus H. Sachs
Director, SANS Internet Storm Center

We had a couple of reports that Telstra (Australia) was down earlier today.  Still not sure what the problem was, but to Telstra's credit they are using Twitter to keep their customers informed.  Follow them at http://twitter.com/Telstra. 

Marcus H. Sachs
Director, SANS Internet Storm Center

I had an interesting conversation the other day with a good friend regarding the merits of having specific incident response plans for common types of incidents.  My argument was (is) that by having plans for specific types of incidents thought out in advance and pre-planned (mail server DoS for example) you can recover from the incident much faster and lessen the impact of the incident.  His counter argument was that writing all those plans and getting them approved is too much work to justify the small amount of time he says would be saved in recovery.  After all, you know what you're going to do, right?

What do you think?  Is it a small amount of time?  Does it depend on the size of the organization?  The value of the asset?  What criteria do you use to determine what specific scenarios you have written plans for?

Christopher Carboni - Handler On Duty

It all started 40 years ago today, when a couple of computers were connected by a long gray cable in order to pass some data.  The experiment was funded by the Advanced Projects Research Agency (ARPA) and the project was called the ARPANET.  By the end of the year, four sites were connected.  Today it's hundreds of millions of computers and we call it the Internet.  National Geographic has a story and some video here.  Wikipedia has a nice timeline for the ARPANET here.

Marcus H. Sachs
Director, SANS Internet Storm Center

We had several ISC readers reporting that Gmail is down. Gmail will be providing updates here under Google Apps Status.

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Opera 10 for Windows has been released. It provides several new and improved features. It provides additional security and stability enhancements and several security fixes listed here.

Change log is available here and can the latest version can be downloaded here.

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org