Diaries

Published: 2007-12-31

False Positives from CA's AV for certain Javascript apps

We have gotten a number of reports of CA's eTrust AV and InnoculateIT AV product, AKA Vet Anti Virus, giving false positives for certain complex javascript applications.

CA has been notified and it looks like updating to signature file 31.3.5419 will solve the problem.

0 Comments

Published: 2007-12-31

New Vulnerabilities in ClamAV

Roflek and Lolek of TK53 has published a couple new vulnerabilities in ClamAV. Specifically three vulnerabilities- a race condition, a way to bypass scanning in Base64 UUencoded files, and finally a failure in file existence checking that potentially allows an attacker to overwrite files. It's a good read, full details are here: http://seclists.org/fulldisclosure/2007/Dec/0625.html

0 Comments

Published: 2007-12-30

A little discussion on blog-hosted malware

Tom Mercado over at TeMerc has posted some discussion around the increasing amount of malware showing up on Blogspot:

http://temerc.com/phpBB2/viewtopic.php?p=3427118&sid=a9a9ac1a1a681537c20fac3ebbfeba89#3427118

He has a couple of good links to further analysis and details that make it a good read.

Update

We've had an e-mail in today from Ian who highlighted a potential AV false positive which we are still looking at. However, it was interesting to note that this issue manifested itself into blogspot hosted malware.

(Warning Will Robinson, Malware Ahead)

hxxp://katuvideo.blogspot.com/2007/12/jssanza.html

which reports to host a video downloaded from hxxp://klikme.cn

which tries to download hxxp://katuvideo.blogspot.com/2007/12/jssanza.html which tries to download a binary, which has very poor VT pickup:

File install_video_3913230.exe received on 12.31.2007 13:13:31 (CET)
Current status:  finished
Result: 8/32 (25%)

 So, watch those wiered blogspots! This is just an example of how quickly the AV issue with CA Antivirus was used as a method to trick people into installing malware.

0 Comments

Published: 2007-12-29

A Year In Review - A Look Back at 2007

Here we are, closing in on the end of another year.  The year 2007 has been a rather interesting year in the land of bits and bytes and the land of the Internet/Cyberspace. I was contemplating the past 12 months and trying to determine what the highlights would be.  I decided to turn to the Internet itself and see what my fellow computer security folks were saying.

I first turned to the folks at IronPort.  IronPort has posted a paper on their site that gives their take on the past 12 months.  Their observations are quite interesting and in my opinion on target.  You can take a look at their report at:

http://www.ironport.com/securitytrends/

In their report they indicate that it appears that the spam volume has increased and has become more dangerous in nature.  No longer does spam just try to sell us ridiculous things it now attempts to lure us into clicking on the link that leads to identity theft and/or malicious program installation and virus infections.  I know that it has been said a hundred times in the past but it bears repeating…  Think Before You Click…  If only we could get this one point across to our non techie, home users, we could clean up a lot of the bad stuff happening out in Cyberspace.

Next I turned to our own SANS Internet Storm Center.  

http://isc.sans.org/diaryarchive.html

One of the biggest threats we had this year was the early and on going outbreak of the Storm worm/Trojan/virus.  Around the middle of January 2007 we began to see emails surfacing with subjects ranging from dangerous storm in Europe, super bowl excitement, to announcements of the death of Castro and Hussein’s resurrection.  Throughout the year our inboxes were blasted with greeting card links from family members, business colleagues, friends celebrating every holiday between Super Bowl Sunday and the upcoming New Years Day.  At its heyday some “experts” believe that we had as many as 10 million infected computers.  Microsoft Defender update is said to have removed the infection from close to 250,000 computers alone in the month of September. We do know that there are still a number of infected computers out there and plenty of Storm Bot activity still exists.  A new round started last week and is trying to get a foot hold on computers that are not already infected or have been cleaned and not been properly protected. The only way we can eliminate this type of activity is to become Cyber Savvy and conscientiously work to improve the security of our business and our home computers.

This year also saw an increase in the number and sophistication of the XSS, PHP and web defacements.  It seems like every time we turned around there was another alert, warning or patch being released. 

We also had the change to the Daylight Savings Time begin and end to deal with.  Luckily this for the most part turned out to be a non event.  Sure there were some problems but the Internet did not crash and burn as a result of the change.  Now as to whether or not this change was wise and is really going to save energy/money/fuel has yet to be seen.  I am not sure how long it will be before we see anything concrete on that topic.

Back in October, if you recall, we did a full month of Cyber Tips.  I for one can tell you we got some tremendous input from our readers on both the topics that should be covered and on the information/action items that were posted in the diary each day.  It was great getting the feedback and I think all of the Handlers that participated and assisted in the development and review of this information did a terrific job. And I think we all felt that we had learned a lot from you, our loyal readers.

Then I turned to SANS Institutes Top 20 and Top 10 lists.  A Must reading for all who are involved in Internet or Computer Security.

SANS again has updated the Top 20 Security Risks

http://www.sans.org/top20/

 and

the Top 10 Security Trends

http://www.sans.org/resources/10_security_trends.pdf

It is very helpful and interesting reading. If you haven’t looked at these already you should.  May even give you some insight into things to come.

I could go on for pages and pages about the year in review.  However, that might be pretty boring.  So with that I would like to open this up to you our readers.  What do you think was the most interesting/critical thing that we faced in 2007?  If you have any thoughts on what 2008 will hold, let us know. 

I have been trying to figure out what my slogan for 2008 will be.  I haven’t found a really awesome one yet.  I am leaning towards:

 Security – Make it great in 2008.

Let us know if you have any really good ones. In the meantime, I want to say thank you to the best group of friends I have ever had, my fellow handlers.  To those of you that I have met in person and to those who I only know from the “room” and email, may you have the happiest New Year ever.  I look forward to spending another year with each and every one of you.  To all of our readers and contributors, thanks for an awesome year and I look forward to hearing from you in 2008.

Signing off – Til next year.

Deb

 

Update 12-31-07:

 It appears that Symantec has posted their 2007 Year In Review. They have a very interesting list. Thanks to Juha-Matti for sending us the link.

www.symantec.com/enterprise/security_response/weblog/2007/11/a_lookback_at_the_security_tre.html

0 Comments

Published: 2007-12-26

Bleeding Stopped? Emergingthreats.com rises

Some of our readers may have noticed that bleedingthreats.net and its associated websites were timing out this morning.  Dave G was the first on our side to notice it.

That just in from Matt Jonkman:


"In light of the unavailability and repeated outages of the old Bleeding
Threats site we're going to replicate that ruleset on the Emerging
Threats website. More info on the site: http://www.emergingthreats.net
 (we've just moved DNS, so you may have an old IP for a few more
minutes, refresh later if you get a placeholder page)
"

Hope you and yours had a great Holiday!

Mike Poor, H.O.D.

Intelguardians

 

 

0 Comments

Published: 2007-12-25

Digital Hitchhikers

We received a report this afternoon from someone who had recently received a digital picture frame.  Unfortunately, it had a extra component with it.  The built-in storage came with what appears to be some malware already loaded on it -- a file called 'cfhskjn.exe' was on it when unpacked.

Some of the behavior seen when the digital picture frame was connected to the computer was:

  • MSCONFIG would not run - it would briefly open and then terminate
  • The system would blue screen when starting in safe mode
  • Going to various anti-virus websites would result in the web browser terminating
  • Various popups for random name.exe "with 'not valid image' messages

This specific product was an "ADS Digital Photo Frame - 8"  (sold by Sam's Club - see http://www.samsclub.com/shopping/navigate.do?dest=5&item=368725) but this type of infection can, and has affected other portable devices with internal storage.

Kaspersky has a blog entry 'Adventures at altitude'  (see http://www.viruslist.com/en/weblog?discuss=208187471&return=1) about one of their employees who bought a Kingston CF memory card that came with a virus on it.

Whether its a picture frame, a digital camera or any USB, CF, SD, etc memory card, the portable nature of these devices dredges up of memories of all the floppy boot viruses we used to have to deal with.  [ What's a 'floppy disk' you ask?  ;-) ]

Care should be taken when attaching storage devices to your computer to ensure you scan them for possible malware and handle them in as secure a fashion as is possible. 


David Goldsmith (dgoldsmith -at- sans.org)

0 Comments

Published: 2007-12-25

Happy New Years .... from the Storm Worm

Now that Christmas is here, the Storm Worm is moving on to New Years.

Overview and Blocking Information

Shortly before 1600 GMT 25-DEC-2007 we got a report  indicating that the Storm Botnet was sending out another wave of attempts to enlist new members.  This version is a New Years-themed e-card directing victims to "uhave post card.com." (spaces inserted to break the URL)   NOTE: Please do not blindly go to this URL -- there is malware behind it.

The message comes in with a number of subjects and body-text.  The one line message bodies are also being used as the subject lines.

Seen So Far:

A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year

Thanks to David F for the initial report.

We recommend applying filters blocks on the domain (u have post card.com) for both incoming email and outbound web traffic.

Under The Hood

As with 'merry christmas dude.com',  this domain appears to be registered through nic.ru.  It also appears to be hosted on the same fast-flux network , now with at least 8000 nodes. 

If you go to that web site, currently the malware file is 'happy2008.exe'.  We will add more analysis details throughout the day as we get them.
 


David Goldsmith (dgoldsmith -at- sans.org)

 

 

0 Comments

Published: 2007-12-24

A Christmas Packet Challenge

There is no better Christmas gift, that I can think of to give, than one that involved packets.  Its been awhile since I posted a packet challenge, but I couldn't let Christmas go by without posting one.  So for all you fellow packet heads out there, here is one for you to spend your holidays pondering.  This challenge is different from last year, so let me tell you the rules for solving this one.  I will give you your first clue to start you off, but you can choose the approach you take:

Approach #1:  Download the file called xmas_Starter.pcap which contains the single starter packet and look at it in your favorite sniffer to extract the payload to decode.

or

Approach #2:  For all you die hard hex geeks, I've dumped the packet in hex into a text file called starter_challenge.txt for your viewing pleasure.  Find your payload in the hex dump and decode it.

In the payload, you will find a Christmas question that has a numeric answer.  The correct answer will be the exact packet  in the xmas_challenge_2007.pcap file where you will find your next Christmas question.  So for example, if the answer is 30, then packet number 30 will be the packet you are looking for in xmas_challenge_2007.pcap.  Do NOT start counting at the packet for which you just answered a question, you will be wrong.  Each question is in the payload and must be deciphered.  There are misleading packets in this challenge, make sure you know your Christmas trivia or you could end up on the wrong packet!   How will you will know when you are at the end of the challenge?  The last packet you are directed to, will not have a question, but will have a message from the handlers to all our readers.  It also may or may not contain the message in one single packet:>)

For those who accept the challenge, send in an email listing each question you found and what the message is from the ISC handlers to everyone.  If you get stuck, send in an email too and we'll get you back on track!  I'll post the results in a week or so to give folks time to play.  Good luck to everyone and let the games begin!!!

Merry Christmas!!

 

 

3 Comments

Published: 2007-12-24

Anticipated Storm-Bot Attack Begins

Shortly after 0000 GMT 24-DEC-2007 reports came in indicating that the Storm Botnet was sending out another wave of attempts to enlist new members.  This version is a Christmas-themed stripshow directing victims to merrychristmasdude.com.

The message comes in with a number of subjects:

 

Subject: I love this Carol!
Subject: Santa Said, HO HO HO
Subject: Christmas Email
Subject: The Perfect Christmas
Subject: Find Some Christmas Tail
Subject: Time for a little Christmas Cheer

The body is something similar to:

 

do you have a min?



This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these. ;-)

http://merry christmasdude.com/

 

[the domain was interrupted for your protection]

Thanks Kevin for the initial report.

I recommend that you apply blocks on that domain (merrychristmasdude.com) for both outbound HTTP requests and incoming emails.


Kevin Liston (kliston -at- isc.sans.org)

0 Comments

Published: 2007-12-23

Facebook and PGP

Facebook has taken a step in the right direction by adding the ability to add a link to your public PGP key.  It also allows you to see which of your friends have keys.  Hopefully it will also spread the word about PGP and allow for a more secure/safer social networking site.  Granted, with PGP, there is a level of trust needed.  However, it is still a step in the right direction and affords the benefit of no need to go searching public key servers looking for the key you need.  You can find the app located here www.facebook.com/apps/application.php

 

0 Comments

Published: 2007-12-20

Getting a web browser without a web browser?

The ongoing issues and questions about Internet Explorer raised an interesting question: On Windows, if Internet Explorer doesn't work for some reason, how would you get a working web browser?

It turns out the command line "ftp" tool (included with windows) could be used to get firefox from an ftp mirror of the Mozilla software collection.  Get to a command prompt ("Start", "Run" and type "command<Enter>").  In that command prompt, run:

ftp ftp.osuosl.org
User: anonymous
Password: {your email address}
cd /pub/mozilla.org/firefox/releases/2.0.0.11/win32/en-US/
binary  
mget *.exe
(say yes to getting Firefox Setup 2.0.0.11.exe)
quit    

        
        Now that you're back to the command prompt, run this command, including the quotes as the file has spaces in the name:

"Firefox Setup 2.0.0.11.exe"


This post isn't intended to imply that Firefox is better on any level.  We just wanted to offer a way to get a working web browser if Internet Explorer refuses to run for any reason.

3 Comments

Published: 2007-12-19

Perhaps there's something wrong with me...

Ok... so UNDOUBTEDLY there is something wrong with me, but I found this to be particularly funny:

CyberLover.ru, a site out of Russia, is selling a "hot, sexy" chatbot that they claim can trick unsuspecting men into divulging personal information, using any of 10 different personalities.  They claim that their bot is so realistic that it can get victims to hand over phone numbers, addresses, photos, and more.

For years now, I've suspected that several of the ISC Handlers, who I know only via our Sooper Sekret Online Chat Room, are actually cunningly crafted perl scripts-- now I have some circumstantial evidence supporting that theory. 

So.... the next time the Handler's chat starts getting all "frisky," I'm keeping my credit card numbers to myself...

2 Comments

Published: 2007-12-19

Orkut XSS Worm

A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected approximately 400,000 Orkut users.  The malicious code is apparently fetched from the site "http://files.myopera.com" and is called, conveniently enough, "virus.js."

1 Comments

Published: 2007-12-19

MS07-069 - Post install issue

We have been working with Microsoft and a couple of our readers on an issue they have been having with MS07-069 and IE crashing after the roll up patch for IE has been installed.

Well the Microsoft MSRC have updated their blog and there is a KB article which provides a workaround.

So if you have a customised installation and have been having IE issues since MS07-069, this could be your solution.

 

 

0 Comments

Published: 2007-12-19

Adobe Flash Player and GoLive security updates

Adobe has released updates which fix several critical vulnerabilities in Flash Player and GoLive.

Flash Player 9.0.48.0, 8.0.35.0 and 7.0.70.0 and earlier are affected by CVE-2007-6242, CVE-2007- 4768, CVE-2007-5275, CVE-2007- 6243, CVE-2007- 6244, CVE-2007- 6245, CVE-2007-4324, CVE-2007- 6246 and CVE-2007-5476.

Several of the issues resolved are input validation errors, which could allow an attacker to execute arbitrary code through content delivered from a web location. This update resolves issues reported on various platforms (Mac OS, Linux, Windows). Adobe strongly recommends users of this version to upgrade to Flash Player 9.0.115.0 which can be downloaded from a link in their bulletin.

GoLive 9 and GoLive CS2 are affected by CVE-2007-2244 and CVE-2007-2365. These vulnerabilities are somewhat more difficult to exploit, but they can be exploited by convincing a user to include crafted BMP, DIB, RLE or PNG content into a GoLive document. Impact remains execution of arbitrary code, so we strongly recommend implementing the update.

0 Comments

Published: 2007-12-19

Got a HP laptop and running windows? Time to patch!

HP released a vulnerability notice to Bugtraq on the 15th December indicating that :

A potential security vulnerability has been identified with the HP Quick Launch Button (QLB) software running on Windows. The vulnerability could be exploited remotely to execute arbitrary code or to gain privileged access.

Well, we received an e-mail from our good friend Raul Siles which indicate that this is potential more serious than a 'potential vulnerability' as POC code exists which grants remote access.

Some related references:

http://www.anspi.pl/~porkythepig/hp-issue/kilokieubasy.txt

http://www.heise-security.co.uk/news/100459
http://www.heise-security.co.uk/news/100625

A workaround which disables HP Info Center is being hosted here:

ftp://ftp.hp.com/pub/softpaq/sp38001-38500/
ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38166.html

 

 

0 Comments

Published: 2007-12-18

Safari 3 Beta Update 3.0.4 Security Update

As we mentioned last night about the Apple Security Update, there is also an update for Safari 3 Beta.  Go here to get the newest version.

CVE-ID:  CVE-2007-5858

Impact:  Visiting a malicious website may result in the disclosure of sensitive information

Description: WebKit allows a page to navigate the subframes of any other page. Visiting a maliciously crafted web page could trigger a cross-site scripting attack, which may lead to the disclosure of sensitive information. This update addresses the issue by implementing a stricter frame navigation policy. (This issue is addressed for Mac OS X in Security Update 2007-009.)

(This is only for Windows XP and Windows Vista users, for Mac users this isn't an issue since it's rolled up in 2007-009)

Joel Esler

http://www.joelesler.net

0 Comments

Published: 2007-12-17

Apple Security Update 2007-009

Apple has just released security update 2007-009 which contains fixes for several key components of the Mac OS X operating system. The following downloads are now available:

2007-009 10.5.1 includes fixes for Core Foundation, CUPS, Flash Player Plug-in, Launch Services, perl, python, Quick Look, ruby, Safari, Samba, Shockwave Plug-in and Spin Tracer.

2007-009 10.4.11 Universal and 10.4.11 PPC include fixes for Address Book, CUPS, ColorSync, Core Foundation, Desktop Services, Flash Player Plug-in, gnutar, iChat, IO Storage Family, Launch Services, Mail, perl, python, ruby, Samba, Safari, Shockwave Plug-in, SMB, Spotlight, tcpdump and XQuery

0 Comments

Published: 2007-12-17

Responding to a file-parsing application attack

We’ve all had situations in which our organization received a malicious binary, and we needed to understand rapidly what it did. Application level exploits are more difficult to investigate, as they have much greater dependence on their environment than the average Windows binary. In July of this year, we received one such targeted attack sample, with limited AV coverage at the time:

AntiVir 7.4.0.39 20070711 EXP/Office.D
Avast 4.7.997.0 20070711 MW97:CVE-2006-2492.Gen
AVG 7.5.0.476 20070711 Exploit.Oledata
BitDefender 7.2 20070711 Exploit.MSWord.Ginwui.Gen
DrWeb 4.33 20070711 Exploit.Wordbo
F-Prot 4.3.2.48 20070710 CVE-2006-2492
Ikarus T3.1.1.8 20070711 Trojan-Dropper.MSWord.1Table.bd
Microsoft 1.2704 20070711 Exploit:Win32/Wordjmp.gen
Symantec 10 20070711 Bloodhound.Exploit.86
VBA32 3.12.0.2 20070710 suspected of Exploit.Signature

There are two common scenarios of attack involving Word documents:

  • Documents that are in themselves not malicious but contain a malicious “embedded object”. This attack methodology is commonly used in the IRS/BBB/DOJ Trojans that have been reported throughout 2007. From an investigation point of view, Trojan binaries are easy to extract. Open the document in Wordpad (preferably in a Virtual Machine), and copy paste the object into another directory;
  • Documents crafted to exploit a file-parsing vulnerability in the application software. In this case, the document contains a crafted component which exploits a specific vulnerability, followed by shellcode which takes further action. It generally either downloads an external, second-stage payload, or executes an embedded Trojan binary. These attacks are sparingly used “in public”, but are very common in closely targeted attacks.

In the second scenario, it’s rather difficult to investigate the embedded Trojan. One way of approaching this is by installing a post-mortem debugger on a vulnerable system, and having a look at what happens upon opening the malicious file. However, you may not always have an accurate combination of both application and Operating System available.

In some cases there is an easier way. As the resulting shellcode and binary Trojan are completely independent from the Word document, they are often plainly visible and can relatively easily be identified using a HEX editor.

When reviewing our Word document in such a tool, I focused on the “MZ” magic string identifying a Windows binary. PE binaries are prefixed by a stub MS DOS executable. This executable was introduced for compatibility reasons and is ignored by Windows loaders. It merely displays “This program cannot be run in MS-DOS mode”, after which it returns control to the operating system. As such, grepping a file for “DOS mode” can quickly reveal embedded binaries.

This file however, didn’t contain such string. Exploit developers often use encoding to make the resulting document difficult to analyze, and to hide the actual shellcode and any embedded files from plain sight. A very common way of doing this is by XOR’ing each byte of the code with a specific key.

Didier Stevens, a Belgian researcher wrote a great tool called XORsearch, which allows you to search for a specific string in a XOR encoded file. As there are a number of strings we know we can search for, this tool can save us a lot of hassle:

qetesh:~$ xorsearch -s malcode3.doc "http"
qetesh:~$ xorsearch -s malcode3.doc "DOS mode"
Found XOR FF position 1246C: DOS mode....$
qetesh:~$

In this case, I searched for “http” to see whether any download URL was present. This is common in exploit samples where the initial code connects to a remote server to download a second stage payload. The search however was unsuccessful. Searching for “DOS mode” though, reveals a Windows executable around position 1246C, XORed with key 255. The parameter “-s” requests xorsearch to dump the complete Word document, XORed with this key, to disk..

If we’re lucky, and the file is encoded with a single key, it now becomes trivial to extract it from the image xorsearch has dumped. We can either copy the PE headers into a hex editor and calculate the full file length (HEX editors with PE templates – like HEX Workshop or 010 Editor are useful for this). Alternatively we can use a forensic file carver such as “foremost” to extract it in a more automated fashion:

qetesh:~$ foremost -i malcode3.doc.XOR.FF
Processing: malcode3.doc.XOR.FF
|*|
qetesh:~$ ls -la output/exe/
total 72
drwxr-xr--  2 user user  4096 Dec 15 20:27 .
drwxr-xr--  4 user user  4096 Dec 15 20:27 ..
-rw-r--r--  1 user user 59392 Dec 15 20:27 00000146.exe
qetesh:~$

Now we can use our standard malware analysis techniques on the  binary. It turns out anti virus was only flagging this file heuristically as the binary, through packing, applied entry point obfuscation and other anti-debugging tricks:

AntiVir 7.4.0.39 20070711 HEUR/Malware
CAT-QuickHeal 9.00 20070711 (Suspicious) - DNAScan
Sunbelt 2.2.907.0 20070711 VIPRE.Suspicious
Webwasher-Gateway 6.0.1 20070711 Heuristic.Malware

After unpacking and analysis, it became clear the Trojan gathered credentials for e-mail accounts and web mail providers, shipping these off to an HTTPS server in Hong Kong. Simultaneously, it opened a reverse backdoor to a second server located in Taiwan.

This approach to dealing with application exploits isn’t complete at all – there are plenty of opportunities for the attacker to render it useless, or even trick the analyst in believing a component is important, while it really isn’t. On the other hand, it does offer us as incident handlers a quicker way of assessing the situation.

--
Maarten Van Horenbeeck

0 Comments

Published: 2007-12-14

SquirrelMail release 1.4.13

The analysis of the Squirrelmail 1.4.12 code base is in, and it would look more serious than first thought. 1.4.11 would appear to have also been affected, so they have released 1.4.13 and have posted the following announcement:

Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 1.4.13 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server.

Details, and the updated bundles (please remember to check those MD5's and PGP sig's) at www.squirrelmail.org/

 

0 Comments

Published: 2007-12-14

Cisco password tricks

Jon, wrote in to tell us about this unusual cisco IOS “trick”.

Jon and several of the handlers discussed this in detail. I have included a summary of those discussions.

http://ioshints.blogspot.com/2007/11/type-7-decryption-in-cisco-ios.html
This describes a way to decode type 7 password without any additional software. There has been software available for many years that can do this but I believe this is the first time Cisco has provided a feature like this to display type 7 passwords in plain text directly on the router. In my opinion passwords should never be displayed in plain text. However some passwords and other “secrets” that are stored on a router or network element have to be stored in a reversible form of encryption as the plain text password is needed by the router due to the protocol specification. Many of the password protected by reversible encryption are also transmitted over the network in plain text so extensive work to secure them is probably not worth the effort. Cisco is not the only vendor who does this. Most network element vendors have reversible encryption algorithms. It may not be as well known as Cisco’s type 7 but when the router needs to reverse the password it can and the plain text password is stored in memory at least for a short period of time. 


So how does one go about ensuring their Cisco router meets minimum security requirements?
Cisco’s autosecure which is available in IOS version 12.2 and greater is a good easy to use tool that will assist you in securing their routers.
Cisco’s “tested and validated security solutions” which used to be called SAFE has lots of guidance for cisco elements. http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html

Additionally I recommend the benchmark and tool from CISecurity.org.
http://www.cisecurity.org/ the benchmark is very detailed. It includes the commands needed to implement a security recommendation and explains why you might want to implement that feature.
It was recently upgraded and released in Nov 2007.

I also recommend reading rfc3871 “Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure “. Although targeted towards large ISPs many of the recommendations are worth understanding. It is not vendor specific and many of the ideas can be used in a mixed vendor environment.

1 Comments

Published: 2007-12-14

Frosty The Snowcrash


Ladies and Gentlemen, the end is near!... the end of the year that is.  During this wondrous time of winter cheer, what a better way to escape the holiday shopping madness than to fully immerse yourselves in Ed Skoudis' latest creative challenge:  Frosty the Snowcrash. 

As many of you already know, my good friend Ed's hacker challenges are an exciting and creative way to test your 1337 security kung fu skills.  You can find his latest masterpiece at www.ethicalhacker.net

As is customary during this time of year, analysts that are good (well, they have to be very very good) will get presents (sometime known as prizes); those that are bad (well, in fact everyone else) will get a lump of coal (actually, they will receive an email with an ascii art drawing of a lump of coal).

So, you think you have good kung fu?  Head on over to see if you can solve the Frosty the Snowcrash Challenge.

Happy Holidays!

Mike Poor
Intelguardians

0 Comments

Published: 2007-12-14

SquirrelMail package compromise

The SquirrelMail project has posted a notice on their website stating they have found an unofficial modification in the packages for version 1.4.12. They believe this change to have been made through a release maintainer's compromised account.

They are still investigating the changes, which appear to result in an error and do not seem to lead to system compromise. However, they have restored the original, verified packages to Sourceforge. Users having implemented version 1.4.12 of Squirrelmail after December 8th are strongly advised to redownload and reinstall the package.

Thanks to Peter for bringing this to our attention.

0 Comments

Published: 2007-12-14

Important upgrade for Juniper routers

        Juniper Networks has put out an important advisory related to their routers.  It appears that malformed BGP packets may induce interface flapping.

        If you're a registered user, please see:
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-12-008&viewMode=view

        There's a discussion about the problem at:
https://puck.nether.net/pipermail/juniper-nsp/2007-December/009296.html

        This issue should be addressed as soon as is practical.

0 Comments

Published: 2007-12-14

QuickTime 7.3.1 released addresses RTSP vulnerability

A new version of Apple QuickTime, 7.3.1,  is available that addresses the RTSP vulnerability we covered here: http://isc.sans.org/diary.html?storyid=3690

From:  http://docs.info.apple.com/article.html?artnum=307176
“QuickTime 7.3.1
QuickTime
CVE-ID: CVE-2007-6166
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.”

The update is available here:
http://www.apple.com/quicktime/download/
 
Thanks go out to Juha-Matti and Roger for sending this in.

0 Comments

Published: 2007-12-13

A day in the life of a firewall log

Every now and then when you have one of those days some nice therapy is to go through the firewall logs.  After all, whilst junior is doing a good job, you do need to keep your hand in, you never know what you might find.

This particular firewall often has some interesting logs entries as it hooks up to a public C class network.  So patterns are often more obvious than may be the case on smaller networks.

The way I broke the logs down is very simple.  Using the DSHIELD Universal Firewall Client I reduced the firewall log down to the basic information that is typically submitted to the DSHIELD.  It gives me a time, source, destination IP and ports and the protocol.  The information left are all the denies, but as I’m looking at a class C anything unusual is likely to hit a closed port on one of the addresses and at this stage I’m interested in getting an idea of what is happening in this particular nick of the woods, nothing more.

So what did 12/12 bring?
Firstly lots of SPAM, both email and Instant Messaging (IM) spam.   The mail SPAM is being sent to the secondary MX record.  The reason it is bouncing on this particular firewall is because the port is closed, unless the primary mail server can’t be reached.  About 13K SPAM emails were “delivered” to the secondary MX address.  This is approximately triple the amount delivered to the primary mail server for this site.   The sources varied, but the following list of countries was responsible for most of the SPAM (and pretty much anything else as well):  China, Russia, Thailand, Peru, Turkey, Italy, Columbia, and Poland.

What else was there?
(btw most of the entries shown were repeated for a significant number of hosts on the subnet)

The explained
Hosts looking for open proxies:
195.10.123.118    3142    abc.def.ghi.198    80    TCP
195.10.123.118    3143    abc.def.ghi.198    443    TCP
195.10.123.118    3148    abc.def.ghi.198    1080    TCP
195.10.123.118    3145    abc.def.ghi.198    3128    TCP
195.10.123.118    3146    abc.def.ghi.198    8000    TCP
195.10.123.118    3144    abc.def.ghi.198    8080    TCP

Looking for SQL servers
203.168.246.177    2256    abc.def.ghi.174    1433    TCP
203.168.246.177    2245    abc.def.ghi.174    3306    TCP
203.168.246.177    1813    abc.def.ghi.191    1433    TCP
203.168.246.177    1814    abc.def.ghi.191    3306    TCP
203.158.191.28       2563    abc.def.ghi.155    3306    TCP
203.158.191.28       2249    abc.def.ghi.165    3306    TCP
203.162.219.133     2093    abc.def.ghi.112    1433    TCP
203.162.219.50       2539    abc.def.ghi.200    1433    TCP

Probing the usual MS ports
203.110.95.199      3153    abc.def.ghi.61     445    TCP
203.110.95.199      1569    abc.def.ghi.64     445    TCP
203.113.133.72      2498    abc.def.ghi.100   139    TCP
203.113.133.72      2504    abc.def.ghi.101   139    TCP
190.137.134.106    1035    abc.def.ghi.60     137    UDP
190.137.134.106    1035    abc.def.ghi.61     137    UDP

Looking for pop3 & SMTP
68.20.167.21    4804    abc.def.ghi.53    110    TCP
68.20.167.21    1112    abc.def.ghi.54    110    TCP
190.2.22.85    1369    abc.def.ghi.110    25    TCP
190.2.22.85    1370    abc.def.ghi.111    25    TCP

Slammer Worm
202.96.87.29    1107    abc.def.ghi.105    1434    UDP
202.96.87.29    1107    abc.def.ghi.106    1434    UDP

SAV Bot (CVE-2006-2630)
203.20.75.18    3884    abc.def.ghi.135    2967    TCP
203.20.75.18    3371    abc.def.ghi.142    2967    TCP

Looking for X11
195.13.58.137    44101    abc.def.ghi.211    6000    TCP
195.13.58.137    44102    abc.def.ghi.212    6000    TCP

Trend Micro Server issue from earlier in the year
58.246.107.14    6000    abc.def.ghi.100    5168    TCP
58.246.107.14    6000    abc.def.ghi.101    5168    TCP

SSH Probes
193.0.121.66    41359    abc.def.ghi.110    22    TCP
193.0.121.66    57590    abc.def.ghi.111    22    TCP

Planetlab
05:42:41     193.55.112.40    59912    abc.def.ghi.136    33434    UDP
06:05:53     193.55.112.40    59912    abc.def.ghi.136    33434    UDP
06:30:54     193.55.112.40    59912    abc.def.ghi.136    33434    UDP
06:49:43     193.55.112.40    59912    abc.def.ghi.136    33434    UDP
07:17:32     193.55.112.40    59912    abc.def.ghi.136    33434    UDP
07:41:10     193.55.112.40    59912    abc.def.ghi.136    33434    UDP
The above entries looked unusual and were traced back to a research facility Planetlab, which has a number of projects, the project hitting the firewall in this case was looking for routing anomalies.

Unix Traceroute - (Thanks Jens)
206.123.64.70    12889    abc.def.ghi.26    33435    UDP      - Unix Traceroute
206.123.64.70    17749    abc.def.ghi.26    33437    UDP     -  Unix Traceroute

The unexplained
For the following I’m yet to find a good explanation so more digging tomorrow.   If you have a good explanation, feel free to write in using the contact form.
66.168.182.42    50935    abc.def.ghi.235    4899    TCP
66.168.182.42    50937    abc.def.ghi.236    4899    TCP
66.168.182.42    50938    abc.def.ghi.237    4899    TCP
The DSHIELD database shows a big increase in the number of targets for the last few days, but I haven’t managed to capture anything just yet.  The port 4899 belongs to radmin. 

Update - The port is used as a backdoor, so the above is likely to be a scan for already compromised hosts.

The following are in my “no Idea” bucket.
192.148.123.44    39841    abc.def.ghi.227    32801    UDP
192.148.123.45    39841    abc.def.ghi.227    32801    UDP

Whilst the following may look like replies to an RDP session, none of the hosts can make an outbound RDP connection.
61.238.148.9    3389    abc.def.ghi.32    36199    TCP
61.238.148.9    3389    abc.def.ghi.33    16763    TCP
61.238.148.9    3389    abc.def.ghi.4    27149    TCP
61.238.148.9    3389    abc.def.ghi.4    55340    TCP

Comparing the logs from the last review and this one, it is obvious that China and Russia are still the biggest sources of attacks, however the number of attacks are down from previous months.  There is an increased amount of traffic from Turkey, Italy, Columbia and Peru.   Some of this may be explained with the reported move of RBN to other locations such as Turkey and Italy.  The increase for Columbia and Peru may have something to do with our Brazilian friends.

Thats a day in the life of my log.  If you see anything weird in your logs, or you can explain my few left over log entries (especially port 4899 traffic), let us know.

Mark H - Shearwater

1 Comments

Published: 2007-12-12

Security 2.0 post feedback

Awhile back I wrote a post asking for your comments on "Security 2.0" and what it meant to you.  Thank you all for your feedback.  I received a ton.   I've selected a few posts and put them on my website (at a reader's request, I was asked to consolidate them).  I did not want to post it here, because it is super long, it would take up the whole frontpage, and I don't want to take any attention away from our MSFT tuesday post.  Check out the post at your leisure.

Joel Esler

http://www.joelesler.net

0 Comments

Published: 2007-12-11

Teredo Security Concerns

In the past we've written about the risks involved in using Teredo (like e.g. Microsoft's Vista does). It effectively makes machines behind a NAT gateway addressable from the Internet. Proponents will say that Vista doesn't start it until needed, and that the IPv6 address space is too big to scan. Well, all it takes is a hit on a IPv6 web server to both start it and to know where the client is.

It seems this opinion is now propagated and elaborated in an internet draft over at the IETF:

http://www.ietf.org/internet-drafts/draft-ietf-v6ops-teredo-security-concerns-01.txt

Recommended reading material.

Just a reminder: block UDP port 3544 on your IPv4 perimeter to stop the tunnels from being created.

--
Swa Frantzen -- Gorilla Security

0 Comments

Published: 2007-12-11

December black tuesday overview

Overview of the December 2007 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS07-063 An unspecified vulnerability in the implementation of the SMBv2 signing allows attackers to recompute signatures.
Vista's SMBv2

CVE-2007-5351
KB 942624 No publicly known exploits Important Important Important
MS07-064 Input validation failures in DirectShow allows code execution through common file types.
Replaces MS05-050
Direct X

CVE-2007-3901
CVE-2007-3895
KB 941568 No publicly known exploits Critical Critical Important
MS07-065 A buffer overflow allows code execution with system privileges.
Replaces MS05-017
Message queuing (MSMQ)

CVE-2007-3039
KB 937894 No publicly known exploits Important Important Important
MS07-066 The advanced local procedure call (ALPC) allows allows escalation of privileges.
Vista's kernel

CVE-2007-5350
KB 943078 No publicly known exploits Important Important Critical
MS07-067 Macrovision's secdrv.sys (part of SafeDisk, a copyright enforcing scheme using a driver to allow original disks of games to run) allows privilege escalation.
secdrv.sys

CVE-2007-5587
KB 944653 Actively exploited Important Critical Important
MS07-068 ASF, WMV, WMA input validation failures allow code execution.
Replaces MS06-078
Windows Media Format

CVE-2007-0064
KB 941569
KB 944275
No publicly known exploits Critical Critical Important
MS07-069 Multiple vulnerabilities in Internet Explorer allow remote code execution.
Replaces MS07-057
MSIE

CVE-2007-3902
CVE-2007-3903
CVE-2007-5344
CVE-2007-5347
KB 942615 Actively exploited Critical PATCH NOW Important

 

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

--
Swa Frantzen -- Gorilla Security

0 Comments

Published: 2007-12-11

How to stop javascript from websites infecting clients

Greg wrote in to ask how to protect users in his organization from getting infected with malware by visiting websites for business reasons that got hacked.

Knowing we like to recommend to disable javascript by using e.g. Firefox+NoScript, he asked for other solutions aside of disabling javascript as it's not an option in his environment.

So we're looking for success stories, send them through the contact form, and we'll summarize at the end of the day.

--
Swa Frantzen -- Gorilla Security

0 Comments

Published: 2007-12-10

Security Resolutions 2008

As the end of 2007 looms closer, are you thinking about what you are going to accomplish next year?  For me, I never make personal New Year's resolutions, but we must be more disciplined when it comes to our professional life. 

What are your priorities for security next year?

  • Web Application Security
  • Virtualization
  • User Education and Awareness
  • Disaster Recovery/Business Continuity Planning
  • Compliance Tools
  • Policy Updates

Tell us what you are planning to concentrate on next year.  Send us your comments here and we will keep updating all day.

Fair Winds, Mari Nichols

 

0 Comments

Published: 2007-12-09

Windows Media Player Issues

According to multiple sources, there are unpatched remote vulnerabilities in Windows Media Player 6.4 and Windows Media Player Classic 6.4 with public PoC's reported on Saturday.  The public PoC generates files with this type of name: SYS_49152_MP4_for_mplayer2.mp4.  Windows Media Player 6.4 is used for Win95 and WinNT systems (see http://www.microsoft.com/windows/windowsmedia/player/version64/default.aspx) so hopefully this does not affect very many of our readers.

Details:  http://www.securityfocus.com/bid/26773

Thanks to Juha-Matti for bringing this to our attention.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2007-12-06

Excerpt from a chapter in the continuing saga of Fast Flux and SSDD

Throughout my daily incident response thought process I contemplate whether any given issue is the result of a new "Web 2.0 worm".  Well, I didn’t necessarily find a new one in this case, but I almost can't avoid stumbling into surges of fast flux network activity.  What follows here is not new, but certainly worthy of rehashing the state of flux.

If we "Flash back" to the handler diary from June 26-28th 2007 where we posted details involving a drive-by vector which leveraged MySpace user pages, and you will see this is just a continuing chapter into "SSDD"; same STUFF different domains. 

The malicious life cycle of this specific flux net is maintained through:

  •  MySpace User credentials compromised by Phishing campaign
  •  The above referenced phish sites are Fast Flux hosted domains
  •  Every Phish site page load contains a drive-by exploit
  •  Drive-by exploit results in Fast Flux network growth
  •  New flux nodes become service endpoints
  •  Phished MySpace user credentials are injected with links to the drive-by flux domains

                 Rinse, wash and repeat

Only the domains and IPs of the innocent have been changed.
   *Actually, I see no innocence here, it's just bad!* 

If you are unlucky enough to fall prey [or intentionally fall prey!] during a visit to one of the many Flux net hosted MySpace Phish sites: (By no means is the following an attempt to build a complete list of active flux domains, I can't cut/paste faster than domains are being registered)

                        *** LIVE BROWSER EXPLOIT CODE - BE WARNED *** 

            http://profile.mysp ace.com.fuseaction.id.user.viewprofile.198 7383.cn/
            http://profile.mysp ace.com.fuseaction.id.user.viewprofile.370 913.cn/
            http://profile.mysp ace.com.fuseaction.id.user.viewprofile.187 098.cn/
            http://profile.mysp ace.com.fuseaction.id.user.viewprofile.188 273.cn/

The resulting drive-by would attempt to add your computer into the fast flux fold and begins it’s iframe journey through the inclusion of:

            http://currentses sion.net/session/index.php

The only new element in all of this worth noting is an incorporation of the recently published QuickTime exploit, and that is only in addition to what has become an almost de-facto standard suite of browser exploits.  Once the usual JavaScript tricks have been decoding away, you would find that a successful exploitation of your host leads to the download and execution of the following malware:

            http://currentses sion.net/session/file.php (file.exe)

            Sample: currentses sion.net/session/file.exe
           
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
            Size: 14848 Bytes
            MD5:  5d82154be8afc311dd7dca691e5889e8
            SHA1: 40d1e47e1bc3bf7c04dc0c59af9819859ec6b804

I'm going to skip the technical deep dive involved in foot printing the local host activity for a host that has been compromised and file.exe was executed. I will only offer that the criminal goal has been accomplished.  A Fast Flux proxy node has been deployed and you would find that both TCP port 80 and UDP port 53 listeners were bound via dll injection into the iexplore.exe process.  As a result of encoded configuration file updates, connections inbound to the affected host on TCP 80 or UDP 53 are transparently relayed upstream to the Flux Mothership who is responsible for servicing the respective web or dns request.  This particular Fast Flux mothership has been sitting quite happily at IP 72.232.173.210, in addition to 72.232.163.26 which manages health/availability monitoring of the flux net and serving flux node configuration files.  I might normally advocate a host take-down but in cases like this, this will only mean we would need to spend the time to find the new Mothership when it migrates 20 minutes after takedown.  They're bad hosts, so block them.  Bad host, no traffic! 
 

            My T-Shirt today says,
            "I was a fast flux node and all I got to serve were a few online casino's"

If the NoScript browser plug-in were a person, they would so be on my buddy list.  Consider yourself introduced, and it goes without saying, be careful when and where you choose to browse. 

 

William Salusky

Handler on Duty ;)

 

0 Comments

Published: 2007-12-06

Malvertising

Malvertising (malicious advertising) is a reasonably fresh take on an online criminal methodology that appears focused on the installation of unwanted or outright malicious software through the use of internet advertising media networks, exchanges and other user supplied content publishing services common to the Social Networking space.  The most popular Malvertising vector active "in the wild" is a result of the client rendering of Adobe Flash SWF files that contain maliciously coded Flash ActionScript.  In my own limited (but growing) experience, Malicious SWF files may share one or more of the following features:

  • They are often protected from casual swf decompiler tools though the use of commercial SWF encryption tools
  • May contain complex de-obfuscation routines to hide the actual intent of any embedded ActionScript.
  • May directly contain exploit code used to attack the client
  • May act solely as the drive-by vector in performing a 'GetURL' equivalent referral to the actual upstream exploit host
  • May primarily be a Social Engineering attack to confuse or trick a user into accepting the installation of software
  • Contains time sensitive payloads which do not go 'live' until a specific date and time.

In light of a growing problem that has the potential to effectively place every internet user at risk, even when only visiting sites they would otherwise fully trust, there is at least a new tool available to assist the security researcher community with a means to better identify malicious SWF files.  The timing for this is excellent, as I have personally only learned of this tool just this morning.  This particular tool is the OWASP hosted project named 'SWFIntruder'.  I will be doing my own deep dive into the details of it's use for inclusion into my own SWF analysis tool bag.  The personal SWF analysis tool bag happens to include two other freely available (also cross platform) SWF file decompilers:

SWFIntruder : https://www.owasp.org/index.php/Category:SWFIntruder
swfdump      : http://www.swftools.org/ (source available)
and 'flare'     : http://www.nowrap.de/flare.html  (binary only)  :(

We may expand on how you might consider applying security mitigations for this threat type as a protection for the average user which may include your spouse, parents, children, corporate network users, etc... in a future diary.  Please do write in with your own insights into the malvertising problem space.

William Salusky
Handler on Duty :)

 

1 Comments

Published: 2007-12-06

T'is the season to be jolly - Lindt sale

T'is the season to be jolly as the saying goes. 

During the holiday period we are all going to be subjected to various scams and schemes.  About 10.30 this morning people in Sydney Australia started to receive emails advertising a Lindt Chocolate sale at the Elizabeth Street Store (mostly forwarded by friends and family).

A cash only sale between 11 and 1 on Thursday the 6th of December.   Needless to say as I write this there are several hundred people outside the store hoping to cash in on the $5 per bag deals advertised in the email.  The PDF looks really good and genuine. I had junior on his way to get some (BTW kgleeson, you might want to remove the properties from the PDF file before doing something like this, although there could be a good explanation for the name being there). 

A slightly panicked security guard is currently outside the store yelling "It's a scam!!, there is no Sale".

Whilst this is a mildly amusing scam/prank during the holiday season everyone should be on the lookout for the usual greeting cards, "free gifts", credit card reprieves and other emails designed to extract money from our pockets.

Cheers,  I'll have to send junior off to Coles or Woollies to get my weekend stash.

Mark.

 UPDATE

Other information received (thanks Scott) points to a forum post regarding this.  It looks like the sale was meant for the people in the building only and got a bit out of hand and was canceled.  Find the explanation here. So no scam/prank after all kgleeson is safe.

Back to grabbing my greeting cards, playing elf bowl, purchasing pressies from the dodgy brothers, whilst supplementing my income by working from home.

 Made the news as well

 

 

0 Comments

Published: 2007-12-05

Using Cisco CSA? Time to patch!

Cisco have just released an advisory covering a buffer overflow vulnerability in the Cisco Security Agent (CSA) for Windows, with remote code execution as the possible outcome.  CSA is a "personal firewall" style product, and usually deployed as a defense against exactly the sort of threat that the component itself is now vulnerable to.  Back in 2004, such a vulnerability would probably have led to a flurry of noisy network worms - today, drive-by installs of spyware are more likely, but at least as damaging. The bottom line is still the same: If you are using the vulnerable component, patch as soon as possible.

 

0 Comments

Published: 2007-12-04

Botnet + Underground economy Chinese focused papers

The folks at honeyblog.org has written two nice papers on botnets and underground economy in China. They are working with the Chinese Honeynet Project to come up with these two papers.The underground economy paper is especially interesting since it summarize the how money is generated and flow through the underground system.

Links to the paper:

Characterizing the IRC-based Botnet Phenomenon

Studying Malicious Websites and the Underground Economy on the Chinese Web

 

0 Comments

Published: 2007-12-03

From the mailbag, December 3rd edition

Several months ago, I wrote about Mandiant releasing Mandiant Red Curtain (MRC), a tool that attempts to characterize files to point an investigator at files that might require more careful investigation.  Earlier this week, Russ McRee sent us info on a nice little presentation he gave on malcode analysis techniques for incident handling.  In it, he shows use of MRC and a couple of other tools that I'm quite fond of for malware analysis.  His presentation can be found here.

Speaking of incident response data gathering, I'm finally starting to read a book that has been on my list since before it was published.  That book is Harlan Carvey's execellent, Windows Forensic Analysis Including DVD Toolkit.  Lots of excellent tools.

One of the things that MRC does is look at entropy in the files.  Ero Carrerra's pefile (which I've mentioned previously I use in my own little script for packer identification) also calculates the entropy for each section of a PE file.  One of the other things that I've been looking at is hashing sections (or even individual functions) in an executable to see if that was useful in establishing relationships between malware variants.  Since Ero was already calculating entropy of each section, I asked if he'd be willing to hash the sections as well.  He graciously agreed and put the feature in version 1.2.8 of pefile which he released the following day.  Thanx, Ero.

I also discovered another new tool that hashes the sections of an executable.  Chris Rohlf has released a useful little tool called binhash.

 Finally, this morning, Thorsten Holz pointed out that the Chinese Honeynet Project has released 2 new technical reports.  The first entitled Characterizing the IRC-based Botnet Phenomenon, and the second, Studying Malicious Websites and the Underground Ecomony on the Chinese Web.

0 Comments

Published: 2007-12-03

Estonian Defense Minister Comments

On November 28th the Center for Strategic and International Studies in Washington DC hosted a discussion with His Excellency Jaak Aaviksoo, the Minister of Defense of the Republic of Estonia. The subject was "Cyberspace: A New Security Dimension at Our Fingertips". Mr. Aaviksoo gave a full accounting of his experiences with the Internet attacks on his country last spring.

Video, audio, and a full transcript are available at the CSIS web site.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2007-12-02

Active exploitation of Quicktime RTSP Response vulnerability

Symantec is reporting an active exploit site for the QuickTime RTSP Response vulnerability described in CVE-2007-0166. Currently, the malicious stream is hosted at port 554 on the server 85.255.117.212. While we can already confirm the exploit, we are currently investigating and will publish further detail when it becomes available.

As in our previous diary entry on this, we recommend following US-CERT's recommendations:

  • Setting the kill bit for the following Quicktime CLSIDs for Internet Explorer:
    {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
    {4063BE15-3B08-470D-A0D5-B37161CFFD69}
  • Disabling the QuickTime plug-in for Mozilla browsers;
  • Disable QuickTime file associations;
  • Filter traffic on the common RTSP ports (554/tcp and 6970-6999/udp). This provides only partial mitigation.

Each of these does make the use of valid Quicktime content next to impossible, so please be aware of the impact this may have on your organization. 

--
Maarten Van Horenbeeck

0 Comments

Published: 2007-12-02

Anti-virus Control means blocking before scanning

Everyone deploys anti virus, and sometimes without spending sufficient thought as to how it should be intelligently deployed. In essence, anti virus products have very different features: some products are relatively more of a ‘blocklisting’ technology than others. It’s important for us to ensure AV only needs to work in those cases where we know it is most effective.

As a quick example, here is the Virustotal output for a recent malicious RAR file that was brought to my attention. RAR files are archives, similar to ZIP but with a higher compression grade:

AhnLab-V3 2007.11.24.0 2007.11.23 -
AntiVir 7.6.0.34 2007.11.25 -
Authentium 4.93.8 2007.11.24 -
Avast 4.7.1074.0 2007.11.25 -
AVG 7.5.0.503 2007.11.25 -
BitDefender 7.2 2007.11.25 -
CAT-QuickHeal 9.00 2007.11.24 -
ClamAV 0.91.2 2007.11.25 -
DrWeb 4.44.0.09170 2007.11.25 -
eSafe 7.0.15.0 2007.11.21 -
eTrust-Vet 31.3.5324 2007.11.24 -
Ewido 4.0 2007.11.25 -
FileAdvisor 1 2007.11.25 -
Fortinet 3.14.0.0 2007.11.25 -
F-Prot 4.4.2.54 2007.11.25 -
F-Secure 6.70.13030.0 2007.11.25 Exploit.Win32.WinRar.g
Ikarus T3.1.1.12 2007.11.25 Exploit.Win32.WinRar.g
Kaspersky 7.0.0.125 2007.11.25 Exploit.Win32.WinRar.g

McAfee 5170 2007.11.23 -
Microsoft 1.3007 2007.11.25 -
NOD32v2 2684 2007.11.25 -
Norman 5.80.02 2007.11.23 -
Panda 9.0.0.4 2007.11.25 -
Prevx1 V2 2007.11.25 -
Rising 20.19.61.00 2007.11.25 -
Sophos 4.23.0 2007.11.25 -
Sunbelt 2.2.907.0 2007.11.24 -
Symantec 10 2007.11.25 -
TheHacker 6.2.9.141 2007.11.24 -
VBA32 3.12.2.5 2007.11.23 -
VirusBuster 4.3.26:9 2007.11.25 -
Webwasher-Gateway 6.0.1 2007.11.25 –

The vulnerability being exploited dated from 2005, but it appears most solutions did not have effective detection for it. This makes sense: security bugs have been found in several hundreds, if not more applications, and it would be very difficult for AV vendors to build in effective file format parsers for each of the affected file formats.

There’s also a good reason for them not to write such parsers: when implementing them for sometimes not too well described file formats, it’s easy to make security bugs in your own parsing code. This has been illustrated by several researchers, such as Thierry Zoller and Sergio Alvarez of n.Runs. They found several bugs in the parsing code, often leading to remote code execution for an attacker. Depending on where you scan, this could be your mail gateway or desktop.

The point of this diary is to illustrate the basis of the deployment of any gateway anti virus control should be that you enforce which file types are passed along to the internal clients. Does your organization actually need .RAR files to function?

Building a list of what type of file types you want to support organizationally, understanding each of them poses additional risk, should be the beginning of any implementation. The anti virus should then be configured accordingly to just drop anything that does not match this policy statement.

--
Maarten Van Horenbeeck

0 Comments

Published: 2007-12-01

Firefox 2.0.0.11

Several readers have informed us on the release of Firefox 2.0.0.11. It corrects a bug that was found in the previous release, Firefox 2.0.0.10.

0 Comments