View Full Version : 2006 Alerts - Q1
SANS - Internet Storm Center
Last Updated: 2006-01-01 15:54:21 UTC by Johannes Ullrich (Version: 1)
"I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:
InterCage Inc.: 22.214.171.124/19 (126.96.36.199 - 188.8.131.52)
Inhoster: 184.108.40.206/20 (220.127.116.11 - 18.104.22.168)
The list may be updated later. We do not expect to make this a "regular feature". But at this time we find that it is necessary to point out these particular two netblocks.
They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content."
Last Updated: 2006-01-13 20:17:17 UTC
"US-CERT* and AUSCERT** warn about a bug in java being exploited. They claim (the) bug was made public in November 2005.
...Download that latest greatest java environment now if you haven't done so already and upgrade. Better yet: in addition to upgrading all java versions, also check those browser settings and turn java off for all sites that you either not trust 100% to execute code on your machines or that don't absolutely need it to work.
We have been informed multiple times the hostile java seems to be at a webserver at fullchain [dot] net. Might be interesting to check your logs in a corporate environment. The supposedly hostile code is still there so we won't be providing detailed URLs for now. The class file on that website is not detected as malicious by any anti-virus product participating in virustotal... It's also necessary to remove the old java environments, not just get the new ones as an attacker can target the old environments when they are still present.
* SDK and JRE 1.4.2_09 and later
* JDK and JRE 5.0 Update 4 and later
J2SE 1.4.2 is available for download at http://java.sun.com/j2se/1.4.2/download.html
J2SE 5.0 is available for download at http://java.sun.com/j2se/1.5.0/download.jsp ...
Note: It is recommended that affected versions be removed from your system..."
Last Updated: 2006-01-16 17:14:37 UTC
"We received notification last night that a working exploit "MS Windows Metafile (WMF) Remote File Download Exploit Generator" has been released to the public. The code takes advantage of the "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution", MS# MS06-001. The exploit code will generate a .wmf that downloads and executes a specified URL. The sad part to this story is that we have a set of 'plug & play' source code for evil-doers to spread their wares with. And only 10 days after a patch has been released... we can expect to see variants coming very soon. The group responsible for this release is well-known for this."
Last Updated: 2006-01-26 21:39:20 UTC
"...The first thing you should do is to update your anti virus signatures...
How would I get infected?
The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.
What will BlackWorm do to my system?
It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.
Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":
1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.
Joe Stewart (Lurhq.com) provided the following snort signatures based on his analysis of the worm:
(for up to date rules, see http://www.bleedingsnort.org ) ..."
January 30, 2006
"...The forums were taken offline as soon as AMD learned of the exploit, said Drew Prairie, a spokesman for the Sunnyvale, Calif.-based chipmaker. The forums are maintained by another company that apparently failed to update its software in order to protect against the exploit, he said. Prairie was unaware of the name of the company, which is dealt with by AMD's staff in Europe. The forums were back online late Monday afternoon. A poster started a thread on Saturday warning other forum users about the exploit..."
Last Updated: 2006-01-31 22:24:11 UTC
"The folks at Bleeding Snort released an updated list* of known malware-related domains yesterday, up to 9,400 entries now! For those of you employing DNS black holes, proxy-based filtering, or doing other general research of malware based on domains, you should check out this exhaustive (and exhausting!) new list. I frequently rely on this list to match against when doing research of spyware and related nasties. Kudos to the Bleeding Snort guys for their hard work."
Release Date: 2006-02-02
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 0.x, Mozilla Firefox 1.x ...
Update to version 22.214.171.124 - http://www.mozilla.com/firefox/ ..."
What's new in Firefox 126.96.36.199
Update Firefox to 188.8.131.52, the exploit is out
Last Updated: 2006-02-07 21:57:14 UTC
"Exploit code for the recently announced Mozilla Firefox 1.5 QueryInterface() Remote Code Execution has been released as a part of the metasploit framework. Get yours today, firefox update to 184.108.40.206 that is (No links to exploits here, sorry)..."
Recovering LOST files from a hardrive
Last Updated: 2006-02-04 22:15:51 UTC
"Help I have lost data files from my harddrive (due to CME-24 or other reasons).
First if at all possible TURN off the computer and put the infected drive on another system that is not infected. If for one reason or another you cannot, you should consider one of the cdrom or floppy based recovery systems and an extra drive.
You should perform recovery to a different filesystem than the one being recovered from, otherwise you risk overwriting some files as you recover others.
>>> Be aware some companies offer demos that identify "lost" files but doesn't save the files it finds.
Here is a short list of forensic tools and data recovery tools.
The free version is limited to recovering files of 200k or smaller.
Linux/Unix based tools:
CDROM based Bootable images
FCCU GNU/Linux boot CD 10.0 from fccu.
Fire from sourcefire
FoRK from Vital Data
Requires a registration.
Here is a good list of forensic's tools.
7 February 2006
"Spyware programs that monitor users' surfing habits remain prevalent, but their frequency is on the decline, according to a recent academic study*. Security researchers at the University of Washington used web crawler technology to discover that around one in 20 executable files (5.5 per cent) offered for download on the net during a five month period contained some type of malware, mostly less malign code that generated invasive pop-up ads rather than more dangerous key-logging software. At the start of the May 2005 survey, 5.9 per cent of sites surveyed attempted to use security exploits to download spyware onto potentially vulnerable PCs. This figure for so called drive-by downloads dropped to 0.4 per cent by October 2005. Warez sites that offer pirated software topped the list for drive-by downloads (4.3 per cent of domains), with celeb sites (3.9 per cent) coming a close second. Although the density of scripted attacks dropped between May and October last year, spyware remains a substantial problem, the Washington researchers conclude..."
Last Updated: 2006-02-16 04:03:36 UTC
"The proof of concept exploit for MS06-005 has been released. The exploit crafts a malicious BMP file to perform a buffer overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file as well (such as .wmp), it's a good idea to get it patched ASAP."
February 16, 2006
"..."There are two exploits circulating," said Mike Puterbaugh, the vice president of marketing at eEye Digital Security, the Aliso Viejo, Calif.-based company which first uncovered the Media Player vulnerability. "One is somewhat minor, and can cause a denial-of-service, but the second we're taking far more seriously," said Puterbaugh. "It's 95 percent there as a propagated mass attack. "All the guy needs to do is add shell code to it to remotely exploit machines." The exploit, which was posted to the Bugtraq security mailing list is "minutes or days from being completed," Puterbaugh said. "The exploit hasn't been able to reliably write to the same part of memory every time, but once he gets that, it's game over"..."
Last Updated: 2006-02-17 13:28:51 UTC
"The 'sploit writers have been busy. In the last 24 hours a total of four exploits have been released - two each for MS06-005 and MS06-006.
MS06-005 - Vulnerability in Windows Media Player Could Allow Remote Code Execution
MS06-006 - Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution ..."
Symantec ThreatCon Level is 2
"The ThreatCon remains at Level 2 in light of proof-of-concept exploits released Friday for Microsoft Security Bulletins MS06-005 (BID 16633) and MS06-006 (BID 16644). Customers are advised to install appropriate updates as soon as possible..."
23 February 2006
"A WARNING RECEIVED highlights what appears to be a real Explorer danger that text copied onto the clipboard can be seen on the web. Some people who should, appear to know all about this, while it was news to others we contacted.
So try this:
1) Copy any text by ctrl+c
2) Click the Link:
("...The best way to solve this problem is to use Firefox...")
3) You will see the text you copied on the Screen which was accessed by this web page.
The advice is do not keep sensitive data (like passwords, credit card numbers, PIN etc.) in the clipboard while surfing the web. It is extremely easy to extract the text stored in the clipboard.
To fix this it is simple, do the following in your browser:
Tools->Internet Options->Security->Custom Level scroll down to "Scripting"
Disable "Allow paste operation via script"
Hit OK and you should be good to go.
To verify, repeat step 1 & 2 and you will see the link can not see your clipboard.
Last Updated: 2006-02-25 15:33:14 UTC
"We have been monitoring a reported flaw with Winamp 5.12 and 5.13. A buffer overflow condition with a playlist containing a long file name can cause the application to crash at best and execute arbitrary code at worst. To date, we are not aware of any POC that uses this vulnerability sucesfully for malicious purposes. This problem is fixed in Winamp 5.2 so users are advised to update..."
Release Date: 2006-02-16
Last Update: 2006-02-23
Critical: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Winamp 5.x...
...The vulnerability has been reported in versions 5.12 and 5.13. Prior versions may also be affected.
Update to version 5.2 ..."
Winamp 5.2 Player Download
Fresh Apple Patches
Last Updated: 2006-03-02 00:09:47 UTC
"Apple released a security update called "2006-001". It is claiming to update following components:
- Directory Services
For detailed information on this update, we'll refer you to apple's article 303382*. This update is very critical to install on your Mac OS X machines..."
March 07, 2006
"An anti-virus vendor warned Tuesday that two new worms spreading on Microsoft's and America Online's instant messaging networks delete files and leave systems open to hijacking. Symantec posted alerts for the "Hotmatom" and "Maniccum" worms, and ranked both as a level "2" threat. The Cupertino, Calif.-based security company uses a 1 through 5 scale to label worms, viruses, and Trojans. Hotmatom, said Symantec, is a Spanish-language worm transmitted over Microsoft's MSN instant messaging network. A message arrives, seemingly from a trusted IM contact, that claims a "very dangerous virus" (virus muy peligroso) has been detected, and offers a link to a free patch. Clicking on the link, however, actually installs the worm. Once on a PC, Hotmatom* deletes files at the root level of the A:/ and C:/ drives, then assigns those deleted filenames to copies of itself. It also appends text to any future Microsoft Hotmail e-mail messages sent by that computer; the text, which can be in either Spanish or English, includes links to the same malicious code. Maniccum**, meanwhile, propagates via both America Online's AIM and MSN's networks, and if installed, opens a backdoor on that PC and tries to disable security programs, including anti-virus and firewall software. The backdoor, which accepts commands from the attacker via IRC, can be used to access files, update the worm, upload more malicious code, send additional AIM and/or MSN messages, and launch denial-of-service (DoS) attacks, said Symantec."
md usa spybot fan
McAfee AntiVirus Users:
Unfortunately it appears that McAfee, Inc. may not consider the above threat as serious as one would hope.
The latest McAfee DAT file (DAT 4712) was just released and it does not appear to include the detection for the "W32/Hotmatom.worm":
DAT Readme (http://vil.nai.com/vil/DATReadme.asp)
DAT Version: 4712
DAT Release Date: 03/07/2006
Threats Detected: 181664
New Detections: 21
Enhanced Detections: 100
According to the following the detection for the "W32/Hotmatom.worm" is rated "Low" for both Home and Corporate users:
Virus Profile: W32/Hotmatom.worm
Virus Profile: W32/Hotmatom.worm
- Home Users: Low
- Corporate Users: Low
Date Discovered: 3/7/2006
Date Added: 3/7/2006
Length: 204,800 bytes
DAT Required: 4713
Since the latest detection file is "DAT 4712" and "W32/Hotmatom.worm" is not being detected until "DAT 4713" (which would not normally be published until tomorrow) please be careful or restrict your instant messaging activity until McAfee's AntiVirus includes signatures for this threat.
Even with all that stuff from Symantec:
...currently, the "ThreatCon Level is 1 - The ThreatCon is being maintained at Level 1. DeepSight TMS is not currently reporting any anomalous or notable activity" (... in spite of the "level '2' threat" on both items named).
...so, it makes you wonder whether the right hand knows what the left is doing at times.
'Suffices to say, use caution with IM while these uglies are out and about at AOL and MSN.
March 09, 2006
"Websense® Security Labs™ has received reports of a malicious website, which is hosting a Trojan Horse keylogger. This keylogger is designed to steal end-user information for popular online games. The malicious code's filename is main_n80.scr and was discovered on a site, which appears to be a fraudulent version of the Nokia Taiwan website.
The site uses a cousin domain name and simply has an image screenshot of the real Nokia Taiwan website. It is hosted in Hong Kong and appears to have been registered with fraudulent information.
The main_80.scr file is an SFX self-extracting executable file that contains four files:
When the main_80.scr file is executed, it will use download.exe to copy the extracted files to the system32 dir and execute its version of run32dll.exe. The rundll32.exe file will show error.jpg. Once the user closes the .jpg file,rundll32.exe will execute the rest of the extracted .exe files. These extracted .exe files modify the registry, as detailed below, to ensure that it starts on restart, and checks for the existence of the application Lineage.
* Modifies or creates files and stores in system32 directory
* Kerne0110.exe is a copy of winlogin.exe
* Rundll32.exe is a copy of download.exe
* gg.bat is created
* _2dll.dll is created
* microsoftie0110.dll is created
* msabc.dll is created
* pKerme123.dll is created
* RegistryInfo.dll is created
* Verifies installation of lineage..."
(Screenshot available at the URL above.)
Last Updated: 2006-03-11 01:29:45 UTC
"NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products. Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment.
If you weren't affected and/or are using a different AV product, it might still be worthwhile to spend a couple of minutes on the following questions:
* How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak"?
* Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming? Where exactly do these patterns come from? Is the previous pattern version available there as well?"
RE: False positives from 4715 DAT file of 3.10.2006:
"...Users who have moved detected files to quarantine should restore them to their original location. Windows users who have had files deleted should restore files from backup or use System Restore.
Virusscan Online users can restore the falsely detected file from the Manage Quarantined Files by clicking on the Restore button as shown..."
>>> (See URL above for complete info and screenshots.)
Last Updated: 2006-03-12 18:58:01 UTC
"... Update March 12, 2006 - 15:28 PDT --
A complete list of files, which are known to trigger this incorrect identification, can be downloaded here*."
"...Update: 02:43 UTC 2006-03-13 - McAfee has release a list of (supposedly) all the files affected by DAT 4715. It includes some other interesting ones in addition to excel.exe, like setup.exe, uninstall.exe, shutdown.exe, and reg.exe to name just a few, but is clearly incomplete since it doesn't include any of the Oracle binaries that have been reported to be affected by some of our readers..."
FYI... re: http://isc.sans.org/diary.php?compare=1&storyid=1184
"...McAfee has developed a tool that will restore files that were quarantined by DAT 4715..."
"...Update March 13, 2006 - 17:45 PDT --
Tools for recovering quarantine files due to this incorrect identification can be found here*..."
McAfee W95/CTX Quarantine File Restore Utility
Last Updated: 2006-03-11 19:54:39 UTC
"Don't open zips you get in the mail. Today's gem claims to be video about new acts of terrorism. Attached to the email was a 47KB zip file news.zip. Inside news.zip is news.exe. But its a trojan, of course. Only about half of the av scanners recognized it. Those that did identified it as a trojan downloader of some sort.
TEXT of the virus message:
From: BBC World News [mailto:email@example.com]
Sent: Fri 3/10/2006 7:24 PM
To: Smith, Donald
Subject: New acts of terrorism in New York and London
Today FBI and SCOTLAND YARD has informed on set of new acts of terrorism in New York and London. On a communique was lost more than two thousand person and about ten thousand have received the wounds which were much of them are in a grave condition.Police and MI5 identified an Al-Qaeda cell that had carried out extensive research and video-recorded reconnaissance missions in preparation for the attack. You can learn the detailed information in the attached file."
Apple Mac OS X security patch bundle 2006-002
Last Updated: 2006-03-13 23:44:56 UTC
"Apple released some more security patches today for Mac OS X in a bundle called 2006-002*.
* CoreTypes: CVE-2006-0400
Fix for an XSS scripting vulnerability in archives by flagging the documents as unsafe.
* Mail: CVE-2006-0396
Fix for a vulnerability allowing arbitrary code execution by clicking on crafted email messages
* Safari, LaunchServices, CoreTypes: CVE-2006-0397, CVE-2006-0398, CVE-2006-0399
Additional checks on top of those in the previous update.
* Various non security rated regression fixes in a.o. apache_mod_php (still based on PHP 4.4.1, not on the latest 4.4.2) and rsync..."
Release Date: 2006-03-14
Critical: Extremely critical
Impact: Security Bypass, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X...
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
2) A boundary error in Mail can be exploited to cause a buffer overflow via a specially crafted email. This allows execution of arbitrary code on a user's system if a specially crafted attachment is double-clicked.
3) An error in Safari / LaunchServices can cause a malicious application to appear as a safe file type. This may cause a malicious file to be executed automatically when visiting a malicious web site...
Apply Security Update 2006-002 ( http://docs.info.apple.com/article.html?artnum=303453 ).
APSB06-03 Flash Player Update to Address Security Vulnerabilities
Originally posted: March 14, 2006
Critical vulnerabilities have been identified in Flash Player that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.
Adobe recommends all Flash Player 220.127.116.11 and earlier users upgrade to the new version 18.104.22.168, which can be downloaded from the Player Download Center*..."
Date Posted: 3/14/2006...
Affected Software Versions
Flash Player versions 22.214.171.124 and earlier...
To verify the Flash Player version number, access the About Flash Player page, or right-click on Flash content and select About Macromedia Flash Player from the menu. If you use multiple browsers, perform the check, and the installation for each browser.
Shockwave Player version 10.1.0.11 and earlier
("You must have 'Administrator priviliges' to install...")
Adobe categorizes this as a critical update and recommends affected users update to Flash Player 126.96.36.199..."
Apple Updates the Update
Last Updated: 2006-03-17 05:03:56 UTC
"Today, Apple release Version 1.1 of its 2006-002 patch which was released on Monday.
Read more about it here: Apple 2006-002 v1.1*
This time, Apple only lists the patched components (php, CoreTypes, LaunchServices, Mail, rsync, Safari).
The update includes all the fixes released in the initial Apple 2006-002 an -001 patch...
'Would be nice to have a few more details from Apple. For home users: Apply the patch as soon as you can. At this point, Apple does not appear to offer the patches in distinct packages, which will make testing in larger environments tricky..."
Security Update 2006-002 v1.1 Mac OS X 10.4.5 (PPC)
Mar 16, 2006
"An incorrect update to Symantec's Norton security software on Wednesday blocked Internet access for some America Online users. The issue affected AOL customers using recent editions of Norton AntiVirus and Norton Internet Security, Symantec said in a statement sent via e-mail on Thursday. The culprit was an update to intrusion prevention software that is part of the security software, the company said. "This update incorrectly detected traffic patterns used as part of the AOL connection as a potential risk," Symantec said in the statement. AOL has about 20 million Internet service subscribers. As a result of the incorrect update, AOL dial-up customers lost their connection and AOL broadband users were unable to access AOL servers, Symantec said. The erroneous update was removed from Symantec's servers about seven hours after it was released, and a corrected version was posted, the company said... Norton users who are experiencing problems can contact Symantec customer service at 1-800-927-3991 at no cost or read more on the issue at the company's Web site*. Symantec advises users who are unable to go online because of the issue to disable their Norton software, connect to the Internet and immediately download updated definition files."
March 22, 2006
"Yesterday we received an interesting email-worm sample, detected as Gurong.a, that uses rootkit techniques to hide its file, process and launch point in the registry. It is based on the infamous Mydoom code and it is in the wild but currently spreading very slowly... Gurong.a modifies the operating system kernel, specifically the system service table and process object structures, so it is a kernel-mode rootkit. What makes it different from other kernel-mode rootkits we have seen is the way it installs the rootkit payload into kernel... F-Secure BlackLight* is able to find and disable Gurong.a..."
Last Updated: 2006-03-23 13:14:13 UTC
"There are three vulnerabilities in RealPlayer and associated products that allow from remote code execution and patches have been released to remediate the problems. The vulnerabilities are with boundary errors caused by certain SWF, MBC or specially crafted webpages that can lead to buffer overflows. The latest version of RealPlayer is not affected and users should upgrade immediately. The advisory can be read here*... The matrix of vulnerable products can be seen here**..."
Release Date: 2006-03-23
Critical: Highly critical
How a 'Catch-22' Turns into a 'Shame on You'
Last Updated: 2006-03-31 16:27:44 UTC
"We received a submission yesterday from a user who was complaining about a Catch-22 that Microsoft had set up. Microsoft Security Advisory (917077) addresses a vulnerability in Internet Explorer and how it handles HTML objects. The workaround is to change the security setting for ActiveScripting, to either disable it completely or to set it to prompt the user before running each script. On the advisory's web page, there is a link to this feedback page. The potential issue here is that the feedback page is using ActiveScripting. Oops ;-)
So why is this bad? Microsoft is using an internal CA to issue the SSL certificate for their web site. Only folks using Internet Explorer to view the page will not get complaints about the certificate. Anyone using any other browser will get an alert. Now since this page deals with security (specifically web browser) security, it is counterproductive to the mindset we are trying to train people to have to use an SSL certificate that they can't verify. If folks just think to them self "Hey this came from Microsoft's security folks, it should be ok" it sets up reinforcement of ignoring SSL certificate errors. The solution is for Microsoft to either use a certificate from a publicly trusted CA or to have their CA certificates included in other browsers. Since there are so many alternative browsers, using a publicly trusted CA is probably the best option. You can export the Microsoft CA certificates from Internet Explorer and import them into Firefox (or another browser) and then you will not see the popup about the server's SSL certificate not being verified."