Published: 2010-05-30

How Do I Report Malicious Websites? Part 3

Part 3

In a continuation of previous entries (http://isc.sans.org/diary.html?storyid=8719 and http://isc.sans.org/diary.html?storyid=8863) I wanted to inject a little scope-creep and share what others have sent in.


Although the original question was about malicious websites which lent the proposed solution to favor malware intelligence, the framework should include more fraud and crime information.  This need arose while considering how we would import DShield data.  We will need to add a couple more categories:

  • Attacker/Scanner-- This would be the default category for DShield submissions due to the nature of the data sources.  This could also be imported from your own environment's firewall logs and IDS.
  • Fruad-- To help encourage victim organizations and law-enforcement organization share details about where cyber-crime is being omitted from.  This entry would require a timestamp of the incident.

The date/timestamp of the attack and particularly the fraud is especially important.  Without this information, the report is largely un-actionable by most consumers.  I will commonly receive a list of 100+ IP addresses that were involved in fraudulent transactions from some government or law-enforcement agency and it is largely a waste of time.  Typically months have already passed since the fraud was committed and when the list is released.  Compound that with the list being full of ISP-consumer IP addresses and all you are going to find are false-positives.  Now, if there were date/timestamps provided in this list, one could then identify if they also had similar activity and provide a better-targeted list of accounts to flag and further inspect.


A few readers have recommended urlvoid.com as a “VirusTotal for URLs.”  It does a nice job of interfacing with 20 or so URL-checkers.  It's unclear if they share submissions with all of these vendors like VirusTotal does.  If so, they're missing an opportunity to capture additional details from the submission.

Most users just want a good/bad or safe/dangerous determination.  It's not always that easy, we'll see below.

Defining “Bad”

There are a lot of groups that collect this kind of information and they all have their own particular focuses.  Mixing and matching the data from these various repositories can result in some unfortunate consequences.  I'll continue to use DShield as an example.  It is simply a list of dropped sessions, submitted from the public.  It's easy to end up on this list since UDP is trivial to spoof, and folks running P2P applications cause afterglow that can result in dropped connection-attempts that get classified as malicious in some environments.  As long as you're aware of how the data are collected, this isn't a problem-- until you blindly use it to block email.

Having access to the “why” helps you interpret the potential impact of blocks.  Sometimes blocking the request isn't enough.  Blocking an outbound connection to an exploit site is a good thing.  Seeing blocked attempts out to a command-and-control server is a not-so-good thing.


Published: 2010-05-30

VMware ESX/ESXi Updates

Brian wrote in to remind me that on my shift 27-MAY-2010 I failed to mention VMware's release of VMSA-2010-0009 (http://lists.vmware.com/pipermail/security-announce/2010/000093.html) which addresses a number of security vulnerabilities (43 or so) in ESX/ESXi 4.0.

He also points out a handy resource for hardening vShere noted here: http://blogs.vmware.com/security/2010/04/vsphere-40-hardening-guide-released.html


Published: 2010-05-29

Rogue AV Indictment

I always cringe when I get "that call" to assist with a relative or friend's PC that has fell victim to some version of rogue anti-virus.

Several media outlets are now reporting on a "scareware" Indictment that was released by the US Department of Justice on May 27th.

You can read the Official FBI DoJ press release here.

G.N. White

ISC handler on duty


Published: 2010-05-28

Wireshark SMB file extraction plug-in

Ever on the search for useful tools, especially those for pulling files from pcaps, fellow handler, Raul Siles, e-mailed me today to let me know about this cool plug-in.  I've just started playing with it, but it looks pretty cool.

Tool: http://www.taddong.com/tools/eo_smb.patch
Whitepaper: http://www.taddong.com/docs/WP_SMBPlugin.pdf

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
FOR 408 coming to central OH beginning 30 Sep, http://www.sans.org/mentor/details.php?nid=22353


Published: 2010-05-27

How Do I Report Malicious Websites? Take 2

A Diary Entry that “Writes Itself”

On my last shift, a reader asked: “How do I report Malicious Websites?” (http://isc.sans.org/diary.html?storyid=8719)   I provided three ways one could report malicious URLs, IP addresses or hosts and requested your comments.  There were a lot of suggestions, so I wanted to do a quick round up on this shift. 

Unfortunately it Became Complex.

There was a long list of sites where you could submit a URL to a particular product, some that focused on particular service-providers, others that focused on certain types of malware (e.g. Zeus) or crime (e.g. phishing.)

There was no simple one-stop-shop for the end customer to use.  Some browsers and ad-ons gives something resembling that functionality, but it too is still limited to protecting the users of that tool.

Upon reflexion, I realize why a one-stop-shop doesn't exist.  A single collection and repository of information is not the correct model.  It wouldn't scale, it wouldn't be resilient, and it would be expensive.  What I suggest is a framework for exchanging this information.

A Diversity of Clients

The ultimate client is the end-user.  We all know how uniquely diverse this population is, especially with respect to their technical skills, and security-awareness.  This requires a diversity of solutions to serve this population: browser ad-ins, client software, proxy-servers, specialized DNS clients, etc.

A Diversity of Sources

The intelligence comes from a similarly diverse collection of sources, end-users, help-desk technicians, incident-handlers, malware-researchers, etc.  The accuracy and reliability of this information is similarly diverse; I'm stealing from the old saying: Timely, Accurate, Cheap-- pick two.

Consumers Define the Requirements

I consume a lot of malware-related IP addresses, domains and URL each day.  This information comes in from a lot of sources: mailing lists, blogs, sandbox analysis reports, online repositories, etc.  My focus is on protecting my users, so I look at this information in a certain light.  For most users, a simple bad vs. good determination is good enough.  I use the following classifications:

  • Suspicious – this is the state that all reports start off with, it looks a little better than “Unknown.”
  • Exploit Site-- this is for links to exploit kits or sites that launch attacks
  • Download – for URLs where downloaders or exploit-sites pull secondary payloads
  • Phone-Home/Command-and-Control-- this is for tracking the requests made by malware after it's installed.
  • Redirect/Compromised Site-- some systems get owned and get included in the long lists of intelligence that circulate

These classifications are important when an analyst is looking through alerts generated from this watchlist.  For example, if a user hits what is classified as a Redirect/Compromised site, but the Exploit Site is blocked by the proxies, you don't have an incident, on the other hand, if you have a system that is consistently probing out to a Phone-Home site that is blocked by your proxies then you do have an incident.

For my purposes, the redirect/compromised site list is low priority.  Now, if I were a hosting provider, that list would be of greater importance, but only if the entries were in my network.  It is for precisely this reason why I avoid having a “risk” or “severity” rating associated with these entries.

What should it record? How should the records be organized?  In my database I track based on individual IP or domain, because it's easy to search proxy and firewall logs via hostname, or IP address.  I link the more verbose URL to the domain.  In the framework that I propose, URLs would be classified as Suspicious, Exploit, Downloader, etc. while IP addresses, hostnames, and domain names would be their own records that link to these URLs. 

For example, consider this fictitious exploit URL: hxxp://abcd.efghijkl.ab/invoice.pdf.  In our data-set we could classify this URL was and Exploit URL.  If we had better analysis we could tack on a sub-classification of the particular CVE that this exploit leverages.  The URL would then link to the hostname of abcd.efghijkl.ab, the domain of efghijkl.ab, and at the time of the report  abcd.efghijkl.ab resolved to 3 IP addresses,, and  and these may further link to a particular ASN.

Belief and Feedback

Just like in the IDS and AV worlds, this information has it's fair share of false-positives.  This comes in mostly from automated sources-- simply because they don't know better.  For example, a bot-client might reach out to myip.ru while another may make a google-search using a direct IP address call.  Another pain-point is how advertisers redirect requests, examining the network trace of a web-exploit can sometimes lead an analyst down the rabbit-hole of researching the complexities of one of Doubleclick's competitors.

For this reason the framework would have to support multiple reports per URL, and cluster the URLs to account for unique elements in the URL.  Additionally reports would have to identify their sources so consumers could rate sources, or filter out unwanted sources.

Why a Framework and Not a Centralized Repository?

Although the aim is interoperability, I understand that not everyone wants to share everything with everyone, so I imagine this resembling a number of diverse feeds that are consumed and transformed by vendors and end-users.  Some services may evolve that correlate and fact-check a large number of feeds to provide a stable and reliable source of good versus bad decisions for end-users, while other vendors may pick and choose their sources to craft a unique solution for their market.  Enclaves of researchers would form their own webs of trust via the feeds that they subscribe-to and self-produce.

I'm going to noodle a bit more on this, I welcome your feedback.


Published: 2010-05-27

Sasfis Propagation

Naming and tracking different malware families still leaves much to be desired, so for lack of a better alternative, I'm using the term Sasfis.  It's function appears to be a general bot-net and is mostly leveraged to install other malware such as key-logging/banking-trojans such as Zeus or scareware like the many variants of Fake Anti-virus that is currently in the wild.

I've been seeing this payload quite often this week.  The most common way I see it is in fake shipping invoices.  Today I received a well-targeted email using obviously-compromised user-contact data.  It claimed to be from the state business tax department, and encouraged the recipient to install the (fake) secure-gateway software so that they could continue to pay their sales taxes online.

I'm being intentionally vague about the state since I'm haven't been able to contact them (abuse@$STATE$.gov bounces, for shame) but needless to say, if your state is distributing security software to you, it shouldn't be hosted in Moldova.

The detection of the malware was low, only  3 out of 40 at virus total.  The host of the command and control server is also well aware of certain public sandboxes' IP addresses; their reports of network behavior were obviously blocked, and I managed to get one of my test IP addresses similarly blocked while playing around with the code today.  They're upping their game.

For those looking for this on their networks, look for HTTP-like activity out to v-medical.org and



Published: 2010-05-26

Malware modularization and AV detection evasion

Modularization of malware is something we have been seeing for quite some time already. Authors of malware often build various modules that allow them to extend functionality of malware but also to make analysis more difficult. The rationale behind this is pretty simple – if this particular infected machine does not need the module that, for example, attacks a certain bank it will not be downloaded and installed. This makes it more difficult for the AV vendors to collect all samples of various modules as the attackers can target them. One example of such highly modular (and heavily protected) malware is certainly Clampi – you can see a series of articles about this malware family posted on Symantec's web site.

The attackers can also use modularization to rapidly change fingerprints of malware – if only one module is detected by an AV vendor, the attacker only has to modify that particular module. And if you've been following our diaries you already know how the AV vendors are lagging behind the attackers.

One very simple malicious file was submitted to us couple of days ago by our reader Tim. He found the file in the /Windows/SysWOW64 directory on his Windows 7 machine. The file was named netset.exe and it wasn't signed, so it immediately looked suspicious to Tim.
However, online malware scanners all happily declared the file safe – when it was initially submitted to VirusTotal it resulted in 0 detections (yes – 0 out of 40 AV programs on VirusTotal, see the report here).

After we received the file, one of the things I normally first use is Anubis, a service for analyzing malware available at http://anubis.iseclab.org/. However, Anubis also said that this file is safe and that it did not do anything suspicious. At that point in time I knew I had to dig manually into the file and this is what it is doing.
While not terribly malicious (meaning, it's not a trojan that will communicate with a C&C), the file is obviously part of another malware. The sole purpose of this binary was to check if the user is running certain AV programs on his machine and, if yes, return that result as the exit code so presumably that other malicious program knows what to do. But the sneakiness around this was interesting.

First of all, the malware has to be started with a command line parameter – it can be any parameter that starts with the letter "s" or "t". If that character was not found, the malware will delete some files (dtnet.exe, plang.enu, dsten.log) and just exit. The code that checks the argument can be seen in the picture below:

Argument test

If the correct parameter was found, the binary opens the HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Uninstall registry key which holds all installed applications on the system. It then goes through all the subkeys and compares them to the following list: avast, avg, avira, nod32, kaspersky, norton, mcafee, trend micro, comodo. It is now pretty obvious what it does. For any of these, an internal counter is incremented. Finally, when the binary exits the counter is used as the return code so, as I said above, I presume that some other piece of malware uses this to check if there is an AV program running on the machine.
This code is shown below too:

AV test

While this file is relatively simple, we can see on this example that the attackers are using those simple tricks to make automated analysis more difficult. Since even emulators such as Anubis, which execute the malware in an isolated environment, will not know which argument it needs, the file will appear to be benign. And judging by the VirusTotal results they have no problems with evading signature based scanning either.





Published: 2010-05-25

Tabnabbing new method for phishing.

New method for phishing discovered by Aza Raskin “creative” lead for firefox.

I had to run this thru google translation service and it did a decent job but not perfect.
I modified it somewhat based on my understanding of the issue.
There is a good flash video that shows how the attack works.

Here are the steps as outlined in the translated version of his description.

User navigates to your normal looking site.

The phishing site detects when the page has lost focus and it hasn't been interacted with for a while.

Replace the favicon on the tab with the Google favicon, the title with "Gmail: Email from Google", and the page with a Google log look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

The user scans their many tabs open, the favicon and title act as a strong visual cue and memory is malleable, moldable … and the user will simply think that they will most likely left a Gmail tab open. When they click back to the fake Gmail tab, they'll see the standard Gmail login page, assume they've been logged out, and provide their credentials to log in. When they click back to the Gmail tab fake, they'll see the standard Gmail login page, Assuming they've logged out, and provide their credentials to login. The attack preys on the perceived immutability of tabs.

Assuming the user had left a Gmail tab open where they had previously correctly authenticated. Also assuming the user has entered their login information and you've sent it back to your server, the phishing site can now redirect you to Gmail because they were never logged out in the first place, it will appear as if the login was successful.



Published: 2010-05-25

Security people shouldn’t pay the "spam support system" for email lists to send SPAM

Yes this is a pet peeve of mine. I am not going to out the various security companies that do this but when I get SPAM from a “security company” I often report them to their ISP for AUP violation and attempt to educate the SPAMMER who sent the SPAM.

I recently replied to one of the many such SPAMs I received.

They were advertising a Security & Risk Management Summit taking place in Washington, DC.
I asked how they got my email address and was told they buy their lists from various sources.  I explained that by buying those lists they were feeding the spam support system. They didn’t respond to that comment so either they already knew and don’t care or felt it was justifiable.

I recommended that they ONLY use doubly opted-in lists. (Ones that you opt-in to and get an verification email sent to you to ensure someone else didn’t opt you in).

They did provide an opt-out option and when confronted stated that they were can-spam compliant. If you’re a security company and you send me SPAM expect me to respond and request termination of your service for AUP violation!



Published: 2010-05-25

Face book “joke” leads to firing.



“A CITY council in Wisconsin defended its decision to fire a Police and Fire Department dispatcher who joked about drug addiction on her Facebook page.”

The arbitrator said the dispatcher could come back after a 30 day suspension but the police chief appears to believe her joke was so inappropriate and “an embarrassment to the city”.
Personally this seems a bit extreme, however social networking users should be aware investigating face book pages of employees is becoming more common.



Published: 2010-05-23

Oracle Java SE and Java for Business 'MixerSequencer' Remote Code Execution Vulnerability

SecurityFocus has published Bugtraq ID 39077 vulnerability for Java SE and Java for Business , which allows attackers to remote execute code context of the user running the affected application.

Read the publication here: http://www.securityfocus.com/bid/39077

There is a great blog explaning the technical details. Read it here (by Peter Vreugdenhil): http://bit.ly/aM1J01

The solution is to update java to a non-vulnerable version. Please read http://www.securityfocus.com/bid/39077/info at bottom of the page.

-- Manuel Humberto Santander Peláez  |  http://twitter.com/manuelsantander  |  http://manuel.santander.name


Published: 2010-05-23

e-mail scam announcing Fidel Castro's funeral ... and nasty malware to your computer.

There are two public broadcast TV stations at Colombia. We received a report that a e-mail is out there claiming to be from one of the stations and announcing they have the video of Fidel Castro's funeral:


The URL points to a UK server and downloads a nasty little malware done in Visual Basic that changes Windows parameters and recolects info from your computer. The trojan used to upload the malware is located on the same directory:

Netshell Screenshot

We encourage Web server admins to keep updated security patch and avoid default configurations on web servers that could allow attackers to upload these kind of files to your webserver. This backdoor is pure php and, as you can see, has a lot of useful options.

Please keep in mind also that clicking URL links inside e-mail is dangerous. Always go to the web server typing yourself the URL.

-- Manuel Humberto Santander Peláez  |  http://twitter.com/manuelsantander  |  http://manuel.santander.name



Published: 2010-05-22

SANS 2010 Digital Forensics Summit - APT Based Forensic Challenge

In conjunction with the 2010 SANS Digital Forensics and Incident Response Summit...there is a contest!

To quote Rob Lee...

"The 2010 Digital Forensics and Incident Response Summit's focus this year is examining and advancing the digital forensic professional to deal with advanced threats such as the APT and organized crime. Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases. I asked Jonathan Ham and Sherri Davidoff (who co-authored the sell-out Forensics 558: Network Forensics course and created many successful contests at - forensicscontest.com) to create a contest based partially on how the APT might try and trigger a compromise to steal intellectual property via a targeted attack via spear phishing.

I'm proud to announce the Jonathan and Sherri have created an amazing contest that will challenge you to use sophisticated skills and help you see the types of attacks that could be infecting your networks today. Using published information based on the Aurora attacks they set out to recreate a sequence of events that demonstrate the challenge investigators will face when examining compromises of clicking on links via a targeted spear phishing attack. This contest is a step in the right direction to help educate and challenge forensic professionals around the country. It also provides a good example of some of the discussions we will cover at the 2010 Forensic Summit: Malware analysis, Network Forensics, and the Advanced Persistent Threat. Jonathan and Sherri will announce the winners at the Forensic Summit on July 8. We hope you win the challenge and will attend the 2010 Forensic Summit, July 8, 9 in Washington D.C. "

The contest itself is available over a the SANS Computer Forensics Blog.

Have fun!

-- Rick Wanner - rwanner at isc dot sans dot org


Published: 2010-05-21

2010 Digital Forensics and Incident Response Summit

One of the big events of the year for digital forensics practitioners and incident responders is coming up quickly. The SANS Digital Forensics and incident Response Summit takes place in Washington, DC on July 8th and 9th, 2010.

Judging by the reviews from people who attended last year's summit if you have an interest in digital forensics or incident response this is the must attend event of the year.

More info is available over at the SANS Forensics Blog.

The detailed agenda available from the event page at sans.org.

Even if you can't make it, or you need to be convinced of the value, you can always check out the presentations from the 2008 and 2009 versions of the summit.


-- Rick Wanner - rwanner at isc dot sans dot org


Published: 2010-05-21

IBM distributes malware at AusCERT!

Just in case you were at AusCERT this week and missed the delegate message from IBM.

From the it can happen to the best of them department...IBM accidentally distributes Malware at AusCERT


-- Rick Wanner - rwanner at isc dot sans dot org


Published: 2010-05-20

Is this version of PuTTY legit?

Write in from Andy (thanks Andy!) asking today if http://putty.very.rulez.org/ is a legit site to download putty (the popular tool to connect from a Windows box to Unix boxes via Telnet/SSH, etc.).

How did Andy find this site you ask?  Well, if you go to Google and type in "Putty" you'll notice that the above URL is SEO'ed ABOVE the actual putty.org website.

So far, when I downloaded both versions (from the above site, and from putty.org) the md5's match up, so right now, they are legit copies.  I'm not accusing rulez.org of doing anything inappropriate, don't get that impression.  I'm just using an abundance of caution, heck, they may be a legit mirror.  But as far as I can tell, they aren't on the authorized mirrors list, found here.

So, we prefer that you get your PuTTY downloads from the correct site.  Putty.org.  Which, if you click on the download link, it will redirect you to here.


Which is the actual download link.  

Thanks Andy for writing in and staying vigilant about watching those URL's!


-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler



Published: 2010-05-20

Bind patches are out

Several versions of Bind were updated with patches this morning.  The patches, according to the release notes found here, read as follows:

"Named could return SERVFAIL for negative responses from unsigned zones."

So if you are running Bind, be sure and update here.


-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler


Published: 2010-05-19

Wordpress blog attacks... again

The good people at Websense have a new writeup on Wordpress blog attacks that have been occurring this week.  Read the blog entry here.

-Kyle Haugsness


Published: 2010-05-19

Metasploit 3.4.0 released

Version 3.4.0 of Metasploit was released today and it appears to contain some very nice features.  Included now is some functionality for brute forcing credentials for daemons requiring authentication and many other new capabilities.  Full information here: http://blog.metasploit.com/2010/05/metasploit-framework-340-released.html

-Kyle Haugsness


Published: 2010-05-19

EFF paper about browser tracking

Electronic Frontier Foundation (EFF) has published a paper on browsers being tracked by it's unique fingerprint. It turns out our browsers are more unique than we would like to think they are so it is possible for websites to track users around using the unique fingerprint. While it may not be possible to know the exact user's identity, tracking from one web location to another is definitely a possibility. User agent sting, system fonts, screen resolutions and much more of the computer attributes all contributes to the unique fingerprint of computer + browser combination.  For those of you really concerned about your privacy, maybe it's time to randomize the timezone settings, fonts and screen resolution frequently (joking). Disabling Javascript and active contents help with this a little bit but you need to decide whether privacy is worth losing the ability to view the active content. 

Full paper can be found at https://panopticlick.eff.org/browser-uniqueness.pdf



Published: 2010-05-18

Canonical Display Driver Vulnerability

Microsoft released a security advisory [1] with details about a so far unpatched vulnerability in the canonical display driver. All system with the "Aero" theme enabled are vulnerable.

Theoretically, code execution is possible, but according to Microsoft unlikely. However, the vulnerability would allow a DoS attack by crashing the system. The quick fix for the problem is to turn off aero.

[1] http://www.microsoft.com/technet/security/advisory/2028859.mspx


Johannes B. Ullrich, Ph.D.
SANS Technology Institute


Published: 2010-05-16

Upcoming MySQL patch fixes several critical vulnerabilites

William wrote in to let us know that the changelog to upcoming release to MySQL, version 5.1.47, has been released, and it appears this release fixes several critical vulnerabilities and probably should be applied as quickly as is reasonable.  What is interesting is that although a relatively detailed changelog is available which describes in some detail the vulnerabilities being addressed, which could be interesting to attackers, I could not find any information on when the 5.1.47 release would be available.

If anyone can provide a pointer to this release information, please pass it on to us.


-- Rick Wanner - rwanner at isc dot sans dot org


Published: 2010-05-16

Symantec triggers on World of Warcraft update

We have had a couple of reports over the last 24 hour of users experiencing issues with Symantec anti-virus products triggering on scan.dll.new which is a component of World of Warcraft.

Judging by the traffic on this topic in the WoW forums it would appear these are not isolated reports.

The detailed version of the alert is:

Severity = High
Activity = Auto-Protect has detected Infostealer
Date & Time = 15/05/2010 (various times from 9:00 to now)
Status = Blocked
Recomended Action = Resolved no action

Risk Catagory = Virus
Definitions Version 2010.05.14.048
Severity = High
Component = Auto-Protect
Status = Blocked
File Name = c:userspublicworld of warcraftscan.dll.new

What I find interesting in this case is not that we have another anti-virus false positive, but that Symantec is listing scan.dll.new  as an InfoStealer and that it appears this false positive has happened on past World of Warcraft patches/updates that created a file called scan.dll.new. What exactly are they triggering on?  Is this an old signature from a previous issue? 

I have been interested for a while in the accuracy of Anti-Virus products in the modern computing world.  The Anti-Virus paradigm we have used since the 80's  is seriously flawed, and in my opinion is slowly unraveling. The rash of false positives in recent months is just one symptom of that.

I have been watching with great interest the attempts to develop a new paradigm that fits better in the modern computing reality.  Most of these are attempts at more heuristic or behavior based products that rely less on signatures. It seems to me that since these attempts require a little more "fuzzy" approach to anti-virus won't these sorts of false positives likely become more common, not less?

Are we getting to the point where software providers are going to have to start testing their updates against common anti-virus products before release?

As usual I am interested in your opinions.  You can submit them either via our comment mechanism at the bottom of this diary, or via our contact page.


-- Rick Wanner - rwanner at isc dot sans dot org


P.S.  If any anti-virus companies have any documentation on futuristic anti-malware research directions that they can let me read I would be fascinated to have it.


Published: 2010-05-15

Onboard Computers Subject to Attack?

New Scientist has an article online titled New cars vulnerable to malicious attacks.  The article states that 2 researchers have used the a socket under the dashboard to plug a laptop into.  Using the laptop they were able to control various controls on the car.  As the article states it would be difficult to use this method.  I think the driver would notice a laptop connected to their dashboard.  However, imagine the possibilities if some device plugged into the socket allowed wireless control of the control systems.  Again probably still difficult to do but things thought to be impossible are cracked everyday.  As an owner of one of these new vehicles with all the computer controlled gadgets it is a scary thought for me.  Hopefully, the automakers will solve this potential security problem before someone does successfully take advantage of it and use it for malicious purposes. Imagine an out of control freight train or 18 wheeler heading straight at you because some terrorist or other knot head overrides the computer control system.  

In these days of high tech gadgets with computer control of everything from cell phones to automobiles to 18 wheelers to Train Engines,  it is time for everyone to take Computer/Data Security seriously.  


 Thanks to our reader Adam for bringing this to our attention.


Deb Hale Long Lines, LLC


Published: 2010-05-15

Google Acknowledges Grabbing Personal Data

It appears that Google, Inc has had a lapse in judgment for the last 4 years and has been scooping up snippets of personal data from open WiFi networks.  Google has acknowledged that they have indeed done the captures.  Google has issued a public apology and state that none of the information has made it to their search engines or other services.  According to the article:

"Google characterized its collection of snippets from e-mails and Web surfing done on public Wi-Fi networks as a mistake, and said it has taken steps to avoid a recurrence. About 600 gigabytes of data was taken off of the Wi-Fi networks in more than 30 countries, including the U.S. Google plans to delete it all as soon as it gains clearance from government authorities."


It looks like Google, Inc has some explaining to do.

Deb Hale Long Lines, LLC


Published: 2010-05-15

Phony Phone Scam

The FBI and their partner organizations have issued a warning to consumers in the US that a new phone scam has appeared.  This scam is basically a telephone denial of service attack that is being used to distract the receiver of the calls from a much more important problem.  The article states:

"The scheme is known as telephony denial-of–service (TDOS) and according to several telecommunications companies working with the FBI, there has been a recent surge of these attacks in the past few weeks. The perpetrators are suspected of using automated dialing programs and multiple accounts to overwhelm the land and cell phone lines of their victims with thousands of calls.

When the calls are answered, the victim may hear anything from dead air (nothing on the other end), an innocuous recorded message, an advertisement, or even a telephone sex menu! The calls are typically short in duration but so numerous that victims have had to have their numbers changed to make the calls stop. 

The FBI has determined that these calls serve as a diversionary technique. During these TDOS attacks, online trading and other money management accounts are being accessed by the perpetrators who are transferring funds out of those accounts. The perpetrators will obtain account information of their victims in some way and then contact the financial institutions to change their victims’ profile information such as email addresses, telephone numbers and bank account numbers.

The purpose of the malicious phone calls is to occupy the victim phone numbers on record with the financial institutions managing the accounts so that when the institutions contact the victim to verify the changes and transactions, the institution is unable to reach the victim. Consequently, the victim has no idea what has really transpired until it’s too late."

You can see the full article at the NJToday website. 


The article warns the receiver of any of these types of calls to be hyper vigilant and keep an eye on all of your personal finances, accounts and make sure that you take advantage of the right to your free credit report annually.  All of us should take this advice to heart whether or not you are receiving these harassing calls.

Deb Hale Long Lines, LLC


Published: 2010-05-13

New tool from Mozilla for updating plug-ins

It's been a relatively quiet day so I thought I'd mention this nice little tool that Mozilla has released:


It does exactly what it looks like - checks to see if your plugins are up to date and provides links to update them if they are not. It works with Firefox 3.6+, Opera 10.5, Safari 4, Chrome 4, or IE 8 and while they claim limited support for IE, it worked just fine when I tried it.


Published: 2010-05-12

Layer 2 Security - Private VLANs (the Story Continues ...)

Rob, you say - it's been a little while since we talked about Layer 2 Security (almost a week) - does that mean that we're done? 

Not a chance - we haven't talked about Private VLANs yet!

A VLAN is often defined as a "broadcast domain", and in most cases is co-incides with an IP subnet.  Private VLANs (also called PVLANs) are the exception to this, a Private VLAN is still usually a single IP subnet, but the "broadcast domain" definition no longer holds true. 

In a private VLAN, you start by defining an "uplink" port (also called a "promiscuous" port).  This is normally the port (or link aggregation group) that is attached to the uplink router(s), firewall(s), provider network or server(s).  After that is set, you define "isolated" ports.  Any frame received on a isolated port is forwarded only out the uplink port, no matter what destination MAC or IP address it might have.  This includes ARP traffic or any broadcast traffic.  Frames received on the promiscuous port are then forwarded in the usual way - ARPs, Broadcasts and all other layer 2 frames work as you would expect them to.

So what this means is that isolated ports in a Private VLAN cannot "speak" to each other at all - their only traffic path is via layer 3, to other subnets or to other isolated ports in that PVLAN. 

The concept of private ports can be expanded to include larger port groups - this concept is called "community" ports.  Community ports can speak to each other via layer 2 just like a regular vlan, but are separated from ports in other communities, and from isolated ports.

Typical applications for private VLANs might be in a Colocation Facility or public or private IaaS network (Infrastructure as a Service Cloud), where you might have several customers using the same subnet, but communications between the customers is not desirable as it would circumvent their firewalls.  This might also be used on a DMZ, where you might want to restrict communications between DMZ hosts, but it's not worth the effort or cost of creating a separate DMZ for each host.  Another common use for Private VLANs might be in a hotel situation, where each hotel room has internet access, all are on the same subnet, but communications between the rooms is not desired (for obvious reasons.)

This diary touches on only the most basic concepts of Private VLANs - I won't get into the specifics of the configuration, as they vary quite a bit between various vendors' gear.  Also be aware that this covers only the most basic of PVLAN concepts - there's enough material in this for a good few hundred pages, if you were writing a book on Layer 2/3 Switching and Security for instance  

 As always, if there are any errors in this diary, or if you'd like to comment with other examples of how you've seen PVLANs used, feel free to use the "comment" link.

=============== Rob VandenBrink Metafore ===============


Published: 2010-05-12

Adobe Shockwave Update

Adobe released a new version of the Shockwave Player for Windows and OSX yesterday.  Multiple vulnerabiltiies are addressed, most of the vulnerabilities on the list result in compromise of the workstation and arbitrary code execution, so this is an important update to get done ASAP.

Full details here ==> http://www.adobe.com/support/security/bulletins/apsb10-12.html

=============== Rob VandenBrink Metafore ===============


Published: 2010-05-12

.de TLD Outage

Several readers wrote in to note that the .de domain (Germany), which is operated by DENIC [1], had an unplanned outage earlier that lasted a bit over an hour.
There is no official statement yet, but according to one source [2], a bad zone file was loaded and it took a while to fix.

Currently, .de domains appear to be reachable again.

[1] http://denic.de/ (in German)
[2] http://www.tld.sc/en/

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


The outage looks like it was from approximately 13:30 to 15:30 local time (CEST)

================= Rob VandenBrink ====================


Published: 2010-05-11

May 2010 Microsoft Patches

 Overview of the May 2010 Microsoft Patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS10-030 Vulnerabilities in Outlook Express and Windows Mail (Replaces MS09-037, MS08-048 )
Outlook Express and Windows Mail Integer Overflow

Proof-of-concept code publicly available Severity:Critical
Exploitability: 2
Critical Important
MS10-031 Vulnerabilities in Microsoft Visual Basic for Applications (Replaces MS08-013, MS06-047 )
VBE6.DLL Stack Memory Corruption

no known exploits. Severity:Critical
Exploitability: 2
Critical Important

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

Scott Fendley
ISC Handler on Duty



Published: 2010-05-10

New paper on using kernel hooking to bypass AV

Matousec has released a new paper (http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php)detailing their proof of concept for using kernel hooking (specifically what they are calling an "argument switch attack") to bypass antivirus software. The concept isn't new, as they acknowledge but the paper is nicely detailed and the use of a race condition of sorts to bypass security checks made when a kernel hook is requested/handled is cool. It should be noted that PatchGuard should provide some protection against this attack though how much is uncertain.


Published: 2010-05-10

Another round of WordPress Attacks

H-Security has published an article (http://www.h-online.com/security/news/item/Large-scale-attack-on-WordPress-996628.html) discussing a new series of attacks against WordPress-based sites.

Multiple ISPs have been hit including GoDaddy, Bluehost, Dreamhost, Network Solutions and Media Temple. There is one report that even sites built with the most current version of WordPress have been compromised.

We will update as we have more information, at this point I recommend reading the H-Security article for the summary of the scripts being added and contacting your hosting provider if you have concerns about your site.


Published: 2010-05-08

Wireshark DOCSIS Dissector DoS Vulnerability

Wireshark issued an update to fix an issue with the DOCSIS (Data Over Cable Service Interface Specification) dissector. It could be exploited by attackers to cause a DoS when processing malformed data, causing a crash of the application.

Affected Products

Wireshark versions 0.9.6 through 1.0.12 Bulletin can be viewed here.
Wireshark versions 1.2.0 through 1.2.7.  Bulletin can be viewed here.


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org


Published: 2010-05-08

Microsoft Patch Tuesday May 2010 Pre-Release

Microsoft announced they will be releasing a total of 2 bulletins rated critical that could allow for remote code execution. The vulnerabilities affect Windows 2000, XP and Vista as well as Windows Server 2003, 2008 and 2008 R2. Other affected applications are Office XP, 2003, 2007 and MS Visual Basic. More details available here.

The recent SharePoint Security diary posted on ISC will not be addressed in the May bulletins.

[1] Microsoft Security Response Center Blog


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Intéresser à prendre SANS Sec 503 en français? 
Enregistre toi à http://www.sans.org/nice-2010/ pour le Communité SANS à Nice, France - du 21 au 26 juin 2010


Published: 2010-05-07

Stock market "wipe out" may be due to computer error

A number of stocks lost about all their market value yesterday in the span of 5 minutes, leading to the fastest ever drop in the Dow Jones index. Luckily, most of the value was recovered, but the index overall was still substantially lower. It is not clear yet what exactly happened, but computer issues are cites as a possible reason. One report suggested a data entry error (entering "B" for "Billion" instead of "M" for "Million"). But several stocks where affected. These company's stocks went from as high s $59 to a couple of cents in a few minutes.

Again, the investigation is just starting. But this overall reminded me of a scenario we put forward a few years back. John Bambenek published a nice diary [1] in September of 2005 estimating that $24 Billion worth of assets are under the control of bot herders at the time in the form of brokerage accounts owned by infected users. This number is of course just a guess, but it does support the scenario of a bot control "Market DoS". The scenario we put forward back then was that a botnet could cause economic mayhem if such a sell-off would be timed right to coincide with real world events that would cause "market jitters". Right now, the economic crisis in Greece and the oil spill in the gulf of Mexico can be seen as such events.

How do we protect ourself? Sadly, as typical in our approach to software security, incident handling and forensics will have to come first. Maybe then, we will learn what should have considered int he first place: How to write more secure software, how to put the controls in place to prevent these errors.

[1] http://isc.sans.org/diary.html?storyid=712

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


More thoughts on this - - if you want to a large financial influence (for instance in a cyber-war scenario), you don't need to control 24B in household assets through malware, you need to control one trader's workstation at a major firm.   Yesterday's event shows us just how vulnerable we are - one bad trade, and all the lemmings follow the leader over the cliff!  Fund managers would be good targets as well.  Through a lever like this, your control is multiplied potentially  hundreds of times.

Looking for targets like that?  I just searched linkedin for "hedge fund" (36,000 results)  or "fund manager" for targets (12,000 results) - all nicely searchable by city, company etc.

A targeted phish campaign against a narrowly defined audience like that ... hmmmm ....


============== Rob VandenBrink, Metafore  ================



Published: 2010-05-07

Security Awareness – Many Audiences, Many Messages (Part 2)

Last month, I posted a diary titled "The Many Paths to Security Awareness", which discussed various job positions, what motivates people in those jobs, and what messages you might use to take advantage of those motivators.  The end goal is that, when faced with a security-related decision, you see a move in the positive direction.  As a security professional, you want people in your organization or your customers' organizations to "make the right choice" when they're put on the spot.

First of all, I'd like to thank everyone very much for participating in the survey that was part of the original story.  I used the survey results, along with interviews and my own experience to write a paper on this topic (one of my last requirements for my sans.edu masters degree ! ).  You can find the paper here ==> http://www.sans.edu/resources/student_projects/ , along with a presentation that summarizes the information.  The presentation got posted as a PDF, so the nifty powerpoint animations don't work, but the message is all there.

There were lots of things in the results that you'd expect - for instance, CEO's are motivated by regulatory compliance, avoiding lawsuits and shareholder value, but some of the results were a bit of suprise:

When I started this, I had thought that protection of Intellectual Property (IP) would be of primary concern to Engineers and others that actually create said IP.  However, what I found was that, more and more  the value of IP is being given a real dollar value, and any compromise of IP is being worked into corporate risk assessments.  So protection of IP is now on the radar of lots of CEO's, and protection of IP can be used to influence security decisions at that level.

Folks in a Helpdesk role are motivated by uptime of Corporate Systems, compliance with Corporate Policies and personal financial incentives, but more overtime does NOT count as a financial incentive !  Also, personal workstation downtime almost didn't register as a motivator (this one kind of surprised me).

Something that we all live with is that IT groups are still taking the lead in developing, monitoring and enforcing security policies.  However, what is FINALLY happening is that HR is now starting to take the lead in some of this.  In many organizations, things like reports from the content filter that monitors and enforces web usage policies are now the responsibility of HR, with IT there to provide the service and act as an expert consultant.  This is a good thing to see, because HR is actually placed to do real enforcement of policies like AUP's (Acceptable Use Policy) and Web Surfing Policies, where in many companies IT could only watch and shake their heads.

What didn't work across the board was any security task that people couldn't immediately see value in on their own (without a lesson from security school).  So, for instance, if you want to implement password complexity where it hasn't existed before, it's probably worth a bit of an awareness message ahead of time or no-one is going to be buying into it.

Again, the full results are in the paper, the power point covers the high points.

Anything you'd like to add to the list is welcome, by all means use the comment form to add to this story !

=============== Rob VandenBrink, Metafore ===============


Published: 2010-05-06

non-latin TLD to be issued

Top-level domains are taking a new turn today with ICANN announcing the new TLDs using non-Latin characters. For example Egypt: مصر (Egypt).  It will be interesting to see how this will be used. I wouldn't know where to begin typing مصر on my keyboard so I would have to rely on links to get me to some sites. As we know clicking links blindly on the internet is always a great idea, especially in emails.  for the announcement click here ;-)  (http://www.icann.org/en/announcements/announcement-05may10-en.htm). 





Published: 2010-05-06

Learn about web app hacking and defense

Tor sent in a link to a Google code page on Web Security.    This page provides links to several good web app pen testing and defense resources.  The most intriguing of which is the Jarlsberg codelab.  Essentially Jarlsberg is a buggy web app that you can hack to learn web app pen testing and defense.

From the Jarlsberg introduction page:

"This codelab is built around Jarlsberg /yärlz'·bərg/, a small, cheesy web application that allows its users to publish snippets of text and store assorted files. "Unfortunately," Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Jarlsberg and in general. "

Sounds like fun.


-- Rick Wanner - rwanner at isc dot sans dot org


Published: 2010-05-04

DNSSEC...not a bang but a whimper?

Tonight is the night that DNSSEC is enabled between the DNS root servers. I am not going to go into detail since the good people at the other ISC have already done a wonderful job of that in their posting.

Lots of the usual hype in the usual places including The Register, slashdot, etc.  The fact is that this really only affects the way your ISPs talk DNS to the root servers. I suspect most users are using their ISPs DNS servers which will continue to talk to their customers the old way.  It may cause problems for some users who are hosting their own DNS servers behind antiquated firewalls, but for the most part this will be a non-event.

What I find interesting is that using the resolver test at RIPE, my OpenDNS provided resolvers fail.  

Hopefully that will be fixed before the big event.


-- Rick Wanner - rwanner at isc dot sans dot org


Published: 2010-05-04

Malicious iFrame on US Treasury and other sites?

We have received a number of emails from readers pointing us to news articles indicating that the US Treasury is in the process of cleaning up malicious iFrame that have infected a number of their sites.  We have also received one report that this particular iFrame redirect has also been found at other sites and that perhaps this may be another registrar related compromise.

If anyone has any further information on whether or not this is bigger than just the US Treasury, we would love to hear it. 

As usual you can send us feedback through the comments to this diary, or via our contact page.


-- Rick Wanner - rwanner at isc dot sans dot org


Published: 2010-05-04

SIFT review in the ISSA Toolsmith

Russ McRee over at holisticinfosec.org has once again written an excellent ISSA Toolsmith article.  This article is a review/tutorial of SIFT - SANS Investigative Forensic Toolkit.  SIFT is Rob Lee's open source forensic toolkit used for the SANS SEC 508.  Daniel Wesemann announced the availability of SIFT in a previous diary.

As usual Russ provides good insight into the high points of SIFT including how to install and configure SIFT.  He then walks you through some of the features of SIFT by performing a basic investigation of a memory image.

While the article only scratches the surface it is definitely worth the read if you are interested in forensics using open source tools.


-- Rick Wanner - rwanner at isc dot sans dot org


Published: 2010-05-03

Social engineering via paper mail

Following up on yesterday's social engineering post, the banking scammers don't just rely on ZBot -- the good old "paper based" advance fee or fake letter approaches still work, too.

ISC reader David, for example, got a fedex envelope with an unexpected check over 2'850$, with him as recipient. Diligent security specialist that he is, he called the issuing bank .. and found out that the account against which the check was drawn had zero funds. The way this works is that the bad guys follow up the first letter with a second, where they apologize for the mistake, ask the victim to "wire back" 2500$ and "keep the 350$ for your trouble". If you go ahead with this, by the time the check bounces, you have wired the money, and wired money is gone or at least very very hard to get back. Given that the crooks incur quite some expense and risk in this scenario (fedex isn't cheap and often traceable back to the source) they must still be making a killing out of this scam.

The second scheme is phishing via old-fashioned paper mail. You get a letter stating that "for security reasons" calling the bank now requires a pin code, included below. Follows a pin code of a length and complexity that makes it unlikely anyone would want to remember it, and two lines down, the helpful comment that the pin code can be changed by calling 1-800-whatever. You do so, and here's what happens next:

Voice: Please enter your account number, followed by the pound key [you type]
Voice: Please enter your current telephone access code [you type in the access code in the letter]
Voice: This access code is incorrect. Please try again. [you type - correctly again]
Voice: This access code is incorrect. Please hold for an operator. [you hold]
Operator: XYZ Bank, my name is QRS, how may I help you [you explain]
Operator: To identify you, we have to ask a couple of security questions. What are the last four digits of your social security number ?

Yep. You get the drift. After this exchange, they have everything they need.

Lesson learned: Do not ever call "your bank" on a telephone number included in a letter, email or left on your voice mail. Get to know some employees at the bank branch you do business with, and call them with any questions you might have. Recognizing someone's voice beats a "security pin code" any day.


Published: 2010-05-02

Zbot Social Engineering

Have you updated your awareness program lately?  A sample of the new email used to social engineer the new Zbot variance, crossed my desk recently and prompted me to wonder if  our security awareness had a variance to include this type of attack?  Do your users know that no one will send a password over clear text?  Do your users know the difference between plain text and encrypted text?

The tactic being used is skillful and easy to fall prey to.  Are your users "aware" of this method?


Dear Prey,

Your account has been deactivated for whatever reason and requires you to download and execute the following file.  The password for the file is 12345.

Thank you for your prompt attention to this Zbot social engineering email! 

Reputable Company


Mari Nichols

Handler on Duty


Published: 2010-05-01

Happy May Day

The past 24 hours have been somewhat uneventful.  Perhaps it's because today is May Day, a traditional holiday in many countries.  Perhaps it's because the Kentucky Derby was today.  Who knows.  Regardless, we are happy to report that we've only noted one item worthy of mentioning and that's a lapse in the Snort digital certificate.  Two readers let us know that it had expired on April 30th.  It looks like the issue has been resolved - the current certificate is good until June of next year.

Marcus H. Sachs
Director, SANS Internet Storm Center