Threat Level: green Handler on Duty: John Bambenek

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

German Spam (concise version); MS05-021 and Snort Signatures; Is it a security problem?

Published: 2005-05-16
Last Updated: 2005-05-17 17:25:20 UTC
by Jim Clausing (Version: 1)
0 comment(s)
<H3>German Spam (Concise Version)

These first two sections were provided by yesterday's handler on duty, Scott Fendley. Thanx, Scott.

As there is still many email coming in concerning the German Spam diary yesterday, We are going to provide a little more concise version of the information (or as concise as I can be). The longer version of the diary is located at http://isc.sans.org/diary.php?date=2005-05-15 .

On Saturday evening (Sunday Morning UTC), a large number of "German Spams" were sent all over the world. As the details of this unfolded (see http://www.viruslist.com/en/weblog for the initial analysis), it was discovered that a recent variation of the Sober virus had downloaded new functionality and was proceeding with spamming political propaganda to any addresses gathered from the infected computer. Many anti-virus companies are calling this new malware as Sober.Q. A (mostly) complete list of anti-virus references will follow this brief.

The spammed email do not at this time appear to have any viral content, just links to German based websites that have been characterized as pro-neonazi, racist, anti-immigrant and/or generally right-wing extremist. The timing of this attack coincides with an election in the state of Northrhine-Westfalia and also the end of World War II in Europe and may serve as the motivation for the spam. As the virus does not appear to do any filtering of email addresses to direct it to only German speakers, or even the German .de top-level domain, many networks have reported receiving a staggering number of email in other parts of the world.

Last year, the Sober.G virus was also used to spam political content prior to the European Parliament election. More recently, Sober.N was used to infect computers while enticing the recipient that they had won World Cup soccer tickets for 2006 which may have been

In yesterday's diary, Eric Conrad kindly provided postfix regex, and spam assassin rules that could be useful in stemming the impact of this junk email using the common subject lines. Additionally, Dirk Mueller also released a filtering technique that does not rely on the subject lines. Please take a look at http://isc.sans.org/diary.php?date=2005-05-15 near the 20:30 UTC update for this information.

Some users have reported mini Denial of Service attacks due to the German spam involving the email based text messaging on cell phone and blackberry devices. Others have seen large amounts of bounced email as the virus forges the from address of email it sends out.

Antivirus Links:


http://www.viruslist.com/en/weblog
http://www.trendmicro.com/vinfo/PrinterFriendly/printerfriendly.asp?VName=WORM%5FSOBER%2EU

http://www.sarc.com/avcenter/venc/data/trojan.ascetic.c.html

http://www.antivir.de/de/vireninfos/virenlexikon/index.html?show=1&tx_ideaavviruslex_pi2[showUid]=841&no_cache=1

http://www.f-secure.com/v-descs/sober_q.shtml

http://www.sophos.com/virusinfo/analyses/trojsoberq.html

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=74204

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43003
Update: 2005-05-17 17:15 UTC

Several of our readers have pointed out, that filtering based on the URLs in the body of the e-mail has proven more effective than filtering on the subject lines, since the subject lines seem to change more rapidly, while the URLs in the body have remained static. We just wanted to pass this info on to those still fighting significant amounts of this spam. Also, another of our readers, Frank, has had excellent success by looking at some of the other headers generated by the Sober.Q SMTP engine. See http://www.viruswatch.nl/info/soberq_filter.html for more info on this technique.

<H3>MS05-021 and Snort Signatures

Today, one of the Unisog readers posed a question to me (Scott still) about wether anyone else had seen been seeing exploitation of MS05-021 recently. At the time, I did not have a snort signature so I had not seen it. Hugues De Payens threw one together and later found that Erik Fichtner had added one to Bleeding-Edge Snort (which is below).

So as you can tell, I have been a bad handler by not keeping my signatures up to date in snort. I guess I will get slapped on the hand with a ruler by the school marm of the Storm Center soon. But I digress...

So is anyone seeing active wide-spread attacks against machines using the MS05-021 vulnerability?

For more information about the exploit, please see: http://www.securiteam.com/exploits/5XP0F2KFGA.html

The series of Bleeding Edge Snort Sigs (thanks to http://www.bleedingsnort.com/ )

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack"; content: "X-LINK2STATE"; nocase; flow:to_server,established; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001848; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg:"BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack"; content:"X-LSA-2"; nocase; flow:to_server,established; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001849; rev:2;)

alert tcp any any -> $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; flow:to_server, established; flowbits:set,msxlsa; threshold: type limit, track by_src, count 1, seconds 60; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001873; rev:3;)

alert tcp any 25 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags:R; flowbits:isset,msxlsa; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001874; rev:3;)

pass tcp $SMTP_SERVERS 25 -> any any (msg:"BLEEDING-EDGE EXPLOIT MS Exchange chunks accepted"; content:"200 DONE"; nocase; flowbits:isset,msxlsa; flow:from_server,established; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001875; rev:3;)

alert tcp $SMTP_SERVERS 25 -> any any (msg:"BLEEDING-EDGE EXPLOIT MS Exchange disliked link state chunk, but didn't die (MS05-021)"; content: "500 DROP"; nocase; flowbits:isset,msxlsa; flow:from_server,established; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001876; rev:3;)

Is it a security problem?



Jim here with a few thoughts from my day job. This weekend/morning was not a good one for hardware. I had both a server and a firewall suffer from disk problems. The firewall is a small appliance for a remote office (the disk is virtually inaccessible and it is easier to replace the entire appliance than just the disk). It is a model that is no longer manufactured, thought it is still "under service." We've been seeing disk errors in the logs since Friday, so we contacted our service provider and they shipped out a newer model. Unfortunately, when the new box arrived on site, the power cord that was shipped with it, didn't work with that model. So, they are finding another of the older model and shipping it out, it should arrive on site momentarily. Sigh.... Fortunately, the machine has remained up since being power cycled this morning. Is it a security problem? It isn't malware or an intrusion, but when it goes, this remote office is off the air.

We also had a disk go bad on a server over the weekend. We were doing all the right things, the disks were mirrored and (supposedly) hot-swappable. The maintenance provider was called out and came to replace the disk. Unfortunately, our logs show that within one second of the hot-swappable disk being plugged in, we start showing errors on the 3 other disks in the machine. The machine, that had still been running on the mirrored disks, came down hard at that point. I guess the moral of this part of the story is that just because a device/component claims to be hot-swappable doesn't mean it works that way in real life. Fortunately, the tech on site was able to get the machine back up in relatively short order. With all this excitement on the day job, it is probably a good thing that most of the e-mail to the handlers today was related to the German spam and Scott has handled that admirably. Thank you again, Scott.



------------------------

Scott Fendley and Jim Clausing, sfendley and jclausing, respectively (@isc.sans.org)
Keywords:
0 comment(s)
Diary Archives