Diaries

Published: 2003-05-30

Microsoft Security Bulletins

Microsoft has released patches for Windows 2000, NT 4.0 and XP.

Item 1
Title: Flaw in ISAPI Extension for Windows Media Services
Could Cause Denial of Service (817772)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, and Windows(r) 2000
Impact: Allow an attacker to execute code of their choice
Max Risk: Moderate
Bulletin: MS03-019

There is a flaw in the way in which nsiislog.dll processes incoming requests. A vulnerability exists because an attacker could send specially formed communications to the server that could cause IIS to stop responding to Internet requests.
Item 2
Title: Cumulative Patch for Internet Information Service
(811114)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000, or
Windows(r) XP
Impact: Allow an attacker to execute code of their choice
Max Risk: Important
Bulletin: MS03-018

Redirection Cross Site Scripting CAN-2003-0223

Server Side Include Web Pages Buffer Overrun CAN-2003-0224

ASP Headers Denial of Service CAN-2003-0225

WebDAV Denial of Service CAN-2003-0226
Item 3 - Update to previous bulletin
Title: Unchecked Buffer In Windows Component Could Cause
Server Compromise (815021)
Released: 17 Mar 2003
Revised: 28 May 2003 (version 3.0)
Software: Microsoft (r) Windows (r) NT 4.0, Windows 2000 and
Windows XP
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-007

An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker’s choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context).
Item 4 - Update to previous bulletin
Title: Buffer Overrun in Windows Kernel Message Handling could
Lead to Elevated Privileges (811493)
Released: 16 April 2003
Revised: 28 May 2003 (version 2.0)
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000 and
Windows(r) XP
Impact: Local Elevation of Privilege
Max Risk: Important
Bulletin: MS03-013

There is a flaw in the way the kernel passes error messages to a debugger. A vulnerability results because an attacker could write a program to exploit this flaw and run code of their choice. An attacker could exploit this vulnerability to take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system.
References:

-----------

SPI Security Alert regarding IIS webdav Denial Of Service:

http://www.spidynamics.com/iis_alert.html

NSFOCUS Security Alert regarding SSI IIS 5.0 buffer overflow:
http://www.nsfocus.com/english/homepage/sa2003-05.htm

Microsoft Security Bulletins:

http://www.microsoft.com/technet/security/bulletin/MS03-018.asp
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/technet/security/bulletin/MS03-019.asp

contributed by:

Deborah Hale. haled@pionet.net

Pedro Bueno. bueno@ieee.org

Feedback please to isc@sans.org

0 Comments

Published: 2003-05-29

Microsoft Security Bulletins

Microsoft has released patches for Windows 2000, NT 4.0 and XP.

Item 1
Title: Flaw in ISAPI Extension for Windows Media Services
Could Cause Denial of Service (817772)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, and Windows(r) 2000
Impact: Allow an attacker to execute code of their choice
Max Risk: Moderate
Bulletin: MS03-019

There is a flaw in the way in which nsiislog.dll processes incoming requests. A vulnerability exists because an attacker could send specially formed communications to the server that could cause IIS to stop responding to Internet requests.
Item 2
Title: Cumulative Patch for Internet Information Service
(811114)
Date: 28 May 2003
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000, or
Windows(r) XP
Impact: Allow an attacker to execute code of their choice
Max Risk: Important
Bulletin: MS03-018

Redirection Cross Site Scripting CAN-2003-0223

Server Side Include Web Pages Buffer Overrun CAN-2003-0224

ASP Headers Denial of Service CAN-2003-0225

WebDAV Denial of Service CAN-2003-0226
Item 3 - Update to previous bulletin
Title: Unchecked Buffer In Windows Component Could Cause
Server Compromise (815021)
Released: 17 Mar 2003
Revised: 28 May 2003 (version 3.0)
Software: Microsoft (r) Windows (r) NT 4.0, Windows 2000 and
Windows XP
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-007

An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker’s choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context).
Item 4 - Update to previous bulletin
Title: Buffer Overrun in Windows Kernel Message Handling could
Lead to Elevated Privileges (811493)
Released: 16 April 2003
Revised: 28 May 2003 (version 2.0)
Software: Microsoft(r) Windows NT(r) 4.0, Windows(r) 2000 and
Windows(r) XP
Impact: Local Elevation of Privilege
Max Risk: Important
Bulletin: MS03-013

There is a flaw in the way the kernel passes error messages to a debugger. A vulnerability results because an attacker could write a program to exploit this flaw and run code of their choice. An attacker could exploit this vulnerability to take any action on the system including deleting data, adding accounts with administrative access, or reconfiguring the system.
References:
-----------

SPI Security Alert regarding IIS webdav Denial Of Service:
http://www.spidynamics.com/iis_alert.html

NSFOCUS Security Alert regarding SSI IIS 5.0 buffer overflow:
http://www.nsfocus.com/english/homepage/sa2003-05.htm

Microsoft Security Bulletins:
http://www.microsoft.com/technet/security/bulletin/MS03-018.asp
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
http://www.microsoft.com/technet/security/bulletin/MS03-019.asp

contributed by:
Deborah Hale. haled@pionet.net
Pedro Bueno. bueno@ieee.org
Feedback please to isc@sans.org

0 Comments

Published: 2003-05-18

New Virus Masquerades as Microsoft Support (Palyh)

We have received a copy of yet another worm / virus that masquerades itself as an e-mail from support@microsoft.com. The virus propagates via network shares and uses several web sites to download updates.
Aliases: W32/Palyh@MM (McAfee), W32.HLLM.Ccn (Dialogue Sci), W32.HLLW.Mankx@mm (Symantec), W32/Palyh-A (Sophos)
Virus Characteristics:
From:

support@microsoft.com
Subject:

Re: My application

Re: Movie

Cool screensaver

Screensavers

Re: My details

Your password

Your details

Approved (Ref: 38446-263)

Re: Approved (Ref: 3394-65467)
Body:
All information is in the attached file.


Attachment:


Typically the attachment has a .pif extension, but this could be truncated to a .pi extension. Some possible attachment names include:
approved.pif

_approved.pif

password.pif

application.pif

screen_doc.pif

screen_temp.pif

movie28.pif

doc_details.pif

ref-394755.pif
Other Details:
Palyh will send itself to all e-mail addresses it finds in files with the following extensions:
.wab

.dbx

.htm

.html

.eml

.txt
The worm also creates a file called "hnks.ini" in the WINDOWS directory. This contains all the e-mail addresses that were collected by the worm.
The following Windows Registry items have been modified:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

System Tray = %WindowsDir%\msccn32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

System Tray = %WindowsDir%\msccn32.exe
References:

http://www.symantec.com/avcenter/venc/data/w32.hllw.mankx@mm.html

http://www.f-secure.com/v-descs/palyh.shtml

http://www.sophos.com/virusinfo/analyses/w32palyha.html

http://vil.mcafee.com/dispVirus.asp?virus_k=100307

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_PALYH.A
http://www.viruslist.com/eng/viruslist.html?id=60521

http://www.microsoft.com/technet/security/virus/alerts/palyh.asp

Other News:

http://news.bbc.co.uk/1/hi/technology/3040247.stm



------------------------------------------------

Contact: isc@sans.org

0 Comments

Published: 2003-05-13

Fizzer Virus / Backdoor

A new mass mailing virus, currently labeled "Win32.Fizzer.A" is spreading for the last few days. The payload of this virus contains a few interesting features:

- In addition to e-mail, the virus uses the P2P system Kazaa to spread.

- it will try to terminate anti virus scanners.

- The virus includes a key stroke logger

- In addition to permitting remote control via AOL Instant Messenger or IRC.

The IRC component is in particular interesting. It includes a long list of
IRC servers. The infected system will join a password protected channel on one
of these systems to wait for commands.

"Fizzer" attempts to hide its bot-nature in this IRC channel, by using regular
looking name. Occasionally, the bots will "chat" by sending a random string to the channel.

A summary from an IRC operator's perspective can be found in this mailing list
post:

http://www.dshield.org/pipermail/list/2003-May/008165.php

Counter Measures:

Current Anti Virus filters will detect 'Fizzer'. Stripping executable attachments will work as well.

Detection:

The virus will create the files "iservc.exe" and "initbak.dat" in the infected machine's Windows directory. See the Anti Virus vendor links below for a more complete list.

Removal:

According to BullGuard antivirus, create an empty file 'UNINSTALL.PKY' in your Windows folder, wait one minute and then delete the file progOp.exe from the Windows folder.
More details:

http://www.dshield.org/pipermail/list/2003-May/008165.php
http://www.bullguard.com/antivirus/vit_fizzer_a.aspx

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html

http://vil.mcafee.com/dispVirus.asp?virus_k=100295

http://www.kaspersky.com/news.html?id=977151

http://www.microsoft.com/technet/security/virus/alerts/fizzer.asp
--------------------------------------------------------

please send any observations to isc@sans.org

0 Comments

Published: 2003-05-12

Quick Launch toolbar spyware


We received a few reports of e-mails advertising the 'quick launch' spyware as
an anti virus tool. A typical e-mail reads:

--------------------------------------------------------------------------------

Subject: Windows Update Notification

WINDOWS SECURITY WARNING!!

A VIRUS HAS BEEN DETECTED ON YOUR COMPUTER. IN ORDER FOR YOUR COMPUTER


NOT

TO CRASH YOU WILL NEED TO GO TO:

HTTP://WWW.WINDOWSUPDATENOW.COM

AND IT WILL AUTOMATICALLY UPDATE YOUR COMPUTERS SECURITY PATCHES.

SIMPLY TYPE IN HTTP://WWW.WINDOWSUPDATENOW.COM INTO YOUR BROWSER. OTHERWISE

YOU WILL KEEP RECEIVING THIS SECURITY ALERT EMAIL EVERY DAY

---------------------------------------------------------------------------------
Note the use of a 'plausible' domainname: windowsupdatenow.com

**This domain does not belong to Microsoft:

( This Domain is For Sale )
Joshuathan Investments, Inc.

62 Cleghorn Street

Belize City, Belize none

US


Domain Name: WINDOWSUPDATENOW.COM
Administrative Contact -

This Domain Is For Sale - joshuathaninvest@aol.com

( This Domain is For Sale ) Joshuathan Investments, Inc.

62 Cleghorn Street

Belize City, Belize none

US

Phone - 501-2-31244

Fax - 501-2-34222



Technical Contact -

This Domain Is For Sale - joshuathaninvest@aol.com

( This Domain is For Sale ) Joshuathan Investments, Inc.

62 Cleghorn Street

Belize City, Belize none

US

Phone - 501-2-31244

Fax - 501-2-34222

Once you enter on this page it will redirect you to another
URL (http://www.quicklaunch.com/perl/detection.pl).

When visiting the URL, it will attempt to install the
quicklaunch toolbar ( http://download.quicklaunch.com/quicklaunch154.cab ),
a known spyware program.

Removal instructions are available here:
http://www.doxdesk.com/parasite/BrowserAid.html

1 Comments

Published: 2003-05-08

New backdoor - Trojan.Kaht - exploits WebDav vulnerability

Trojan.Kaht is a Hacktool used by its creator to scan for and exploit
the vulnerability of the Microsoft WebDAV server, running IIS 5.0. An individual who successfully exploits this vulnerability may completely control an affected Web server.

The IIS WebDAV uses a core Windows system component, ntdll.dll,
containing an unchecked buffer when processing the incoming WebDAV requests. Trojan.Kaht scans for the vulnerable Microsoft WebDAV (IIS 5.0) server, by sending a specially formatted WebDAV HTTP request to the server.

If the server is vulnerable, the Trojan creates a script file, kaht.html, on the compromised system. Then, the Trojan adds a user, "KaHT," to the administrator group and spawns a shell. This action gives the Trojan's creator complete control of the system.

-----

contributed by Deborah Hale. haled@pionet.net

feedback please to isc@sans.org


0 Comments

Published: 2003-05-06

WEBDAV Exploits on the rise

On May 7th 2003, a post to the intrustions list noted an increase in attacks using the 'WEBDAV' exploit.
While we do not have any evidence of self replication at this point, the
tool used is very aggressive and at least some of the attacked hosts where reported to be used in scanning for other vulnerable hosts.

The WEBDAV vulnerability, officially announced in March but available in the
underground before that, has been used for a while by various tools. The goal
of these tools has been so far to either deface websites, or to upload various
backdoors or 'irc bots'.

This latest outbreak seems to be using a more aggressive tool, probably scanning
large number of hosts. While this tool may have the ability to replicate, we
have not seen any evidence. In particular for botnets, it is unusual to have the
tool copy itself to the vulnerable host. Instead, a remote control agent is used
to gain control of the host for various purposes (DDOS, port scanning).

We do not have any exploit code available for this particular tool. Based on
a post to the Intrusions list by Michael Scheidell, the following request can be found in weblogs of scanned systems:
SEARCH / HTTP/1.1\r\n", "Host: nnnnnn"

Apache logs from older WEBDAV tools:

1.2.3.4 - - [25/Mar/2003:15:07:28 -0500] "SEARCH /\x90\x04H\x04H

(the characters \x04H are repeated many times, followed by many repeats of \x90

" 414 271 "-" "-"


Relevant Links:

MSFT Announcement regarding WEBDAV:

http://www.microsoft.com/technet/security/bulletin/ms03-007.asp

ISC Analysis of WEBDAV Vulnerability:

http://isc.incidents.org/analysis.html?id=183

--------------

Please report any further details to isc@sans.org . Please submit code sample
as an encrypted zip file with password 'isc'.

0 Comments

Published: 2003-05-05

ICQ/MSN Messenger Fraud

We received notice about fraudulent messages sent via ICQ and MSN Messanger,
urging users to visit various websites to download Windows patches. While these
websites resemble 'official' Microsoft sites, the patch is in fact a trojan
horse. If installed, the trojan horse will connect to an IRC server and
participate in a "botnet" which could be used to portscan or to launch DDOS
attacks.

It has become a common tactic to impersonate well known web sites to either
trick the user into revealing personal information or to download and install
trojans. This class of attacks, commonly known as "cognitive hacking" represent
a variation of social engineering attacks and are not easily defeated by
technical means. User education is the number one defense. We do urge system
administrators to educate users about commonly used techniques.

In this case, a number of hints indicate that the site is not authentic:

The message arrives via MSN or ICQ. Microsoft will never use either service to notify users of patches. Either instant messanger service should not be considered
"secure". One has to understand that neither service uses encryption to transmit
messages, and authentication is weak.

The URL does not use a domain name, but an IP address. The site is not using
https, but plain http. While https can be used to make a 'fake' site look more
authentic, it adds an extra layer of complexity most malware authors avoid.

The url includes javascript code to maximize the window. Likely, this is done
to conceal the fact that the site is not using http (the 'lock' icon moves off
the screen). More sophisticated impostures will move the actual task bar of the
screen and replace it with its own image of a 'secure' task bar.

Immediate measures:

We do recommend blocking access to the following IPs and sites used in this
scam:

200.152.5.119
212.78.206.150
209.126.216.36

upon joining the IRC channel, the 'bots' are currently instructed to 27374 and
1243. The installed binary is 'scan.exe'. While scan.exe is not currently
detected as a virus, it will uncompress itself and extract several components
which are detected by virus scanners.

Just a reminder: there are likely variations of this basic scheme. Please do
NOT take these instructions too specific. More generic, outbound IRC traffic,
and outbound scans of port 27374 and 1243 are always suspicious.

------
Matt Scarborough contributed to this report.
Please send feedback to isc@sans.org

0 Comments