2006 Alerts - Q1

[AplusWebMaster]

FYI...

SANS - Internet Storm Center
- http://isc.sans.org/diary.php?storyid=997
Last Updated: 2006-01-01 15:54:21 UTC by Johannes Ullrich (Version: 1)
"I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:
InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)
The list may be updated later. We do not expect to make this a "regular feature". But at this time we find that it is necessary to point out these particular two netblocks.
They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content."

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1039
Last Updated: 2006-01-13 20:17:17 UTC
"US-CERT* and AUSCERT** warn about a bug in java being exploited. They claim (the) bug was made public in November 2005.
...Download that latest greatest java environment now if you haven't done so already and upgrade. Better yet: in addition to upgrading all java versions, also check those browser settings and turn java off for all sites that you either not trust 100% to execute code on your machines or that don't absolutely need it to work.
UPDATE
We have been informed multiple times the hostile java seems to be at a webserver at fullchain [dot] net. Might be interesting to check your logs in a corporate environment. The supposedly hostile code is still there so we won't be providing detailed URLs for now. The class file on that website is not detected as malicious by any anti-virus product participating in virustotal... It's also necessary to remove the old java environments, not just get the new ones as an attacker can target the old environments when they are still present.
* http://www.us-cert.gov/current/curre...y.html#javaapi
** http://www.auscert.org.au/render.html?it=5925

>>> http://sunsolve.sun.com/searchproxy/...=1-26-102003-1
"...Resolution...
* SDK and JRE 1.4.2_09 and later
* JDK and JRE 5.0 Update 4 and later
J2SE 1.4.2 is available for download at http://java.sun.com/j2se/1.4.2/download.html
J2SE 5.0 is available for download at http://java.sun.com/j2se/1.5.0/download.jsp ...
Note: It is recommended that affected versions be removed from your system..."

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1047
Last Updated: 2006-01-16 17:14:37 UTC
"We received notification last night that a working exploit "MS Windows Metafile (WMF) Remote File Download Exploit Generator" has been released to the public. The code takes advantage of the "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution", MS# MS06-001. The exploit code will generate a .wmf that downloads and executes a specified URL. The sad part to this story is that we have a set of 'plug & play' source code for evil-doers to spread their wares with. And only 10 days after a patch has been released... we can expect to see variants coming very soon. The group responsible for this release is well-known for this."

[AplusWebMaster]

FYI...

- http://isc.sans.org/blackworm
Last Updated: 2006-01-26 21:39:20 UTC
"...The first thing you should do is to update your anti virus signatures...

How would I get infected?
The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.
What will BlackWorm do to my system?
It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.
Removal
Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":
1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.
Snort Signatures
Joe Stewart (Lurhq.com) provided the following snort signatures based on his analysis of the worm:
(for up to date rules, see http://www.bleedingsnort.org ) ..."

[AplusWebMaster]

FYI...

- http://news.zdnet.com/2102-1009_22-6...?tag=printthis
January 30, 2006
"...The forums were taken offline as soon as AMD learned of the exploit, said Drew Prairie, a spokesman for the Sunnyvale, Calif.-based chipmaker. The forums are maintained by another company that apparently failed to update its software in order to protect against the exploit, he said. Prairie was unaware of the name of the company, which is dealt with by AMD's staff in Europe. The forums were back online late Monday afternoon. A poster started a thread on Saturday warning other forum users about the exploit..."

:(

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1085
Last Updated: 2006-01-31 22:24:11 UTC
"The folks at Bleeding Snort released an updated list* of known malware-related domains yesterday, up to 9,400 entries now! For those of you employing DNS black holes, proxy-based filtering, or doing other general research of malware based on domains, you should check out this exhaustive (and exhausting!) new list. I frequently rely on this list to match against when doing research of spyware and related nasties. Kudos to the Bleeding Snort guys for their hard work."
* http://www.bleedingsnort.com/blackhole-dns/files/

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/18700/
Release Date: 2006-02-02
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 0.x, Mozilla Firefox 1.x ...
Solution:
Update to version 1.5.0.1 - http://www.mozilla.com/firefox/ ..."

EDIT/ADD:
What's new in Firefox 1.5.0.1
- http://www.squarefree.com/burningedg...s/1.5.0.1.html

- http://www.mozilla.org/projects/secu...s.html#Firefox

EDIT/ADD:
Update Firefox to 1.5.0.1, the exploit is out
- http://isc.sans.org/diary.php?storyid=1102
Last Updated: 2006-02-07 21:57:14 UTC
"Exploit code for the recently announced Mozilla Firefox 1.5 QueryInterface() Remote Code Execution has been released as a part of the metasploit framework. Get yours today, firefox update to 1.5.0.1 that is (No links to exploits here, sorry)..."

[AplusWebMaster]

FYI...

Recovering LOST files from a hardrive
- http://isc.sans.org/diary.php?storyid=1096
Last Updated: 2006-02-04 22:15:51 UTC
"Help I have lost data files from my harddrive (due to CME-24 or other reasons).
First if at all possible TURN off the computer and put the infected drive on another system that is not infected. If for one reason or another you cannot, you should consider one of the cdrom or floppy based recovery systems and an extra drive.
You should perform recovery to a different filesystem than the one being recovered from, otherwise you risk overwriting some files as you recover others.
>>> Be aware some companies offer demos that identify "lost" files but doesn't save the files it finds.

Here is a short list of forensic tools and data recovery tools.
Windows:
http://www.x-ways.net/davory/index-m.html
The free version is limited to recovering files of 200k or smaller.
Linux/Unix based tools:
http://www.sleuthkit.org/autopsy/
CDROM based Bootable images
FCCU GNU/Linux boot CD 10.0 from fccu.
http://www.d-fence.be/
Fire from sourcefire
http://fire.dmzs.com/
FoRK from Vital Data
http://www.vitaldata.com.au/modules/...index.php?id=9
Requires a registration.

Here is a good list of forensic's tools.
http://www.forensics.nl/toolkits ..."

[AplusWebMaster]

FYI...

- http://www.theregister.com/2006/02/07/spyware_survey/
7 February 2006
"Spyware programs that monitor users' surfing habits remain prevalent, but their frequency is on the decline, according to a recent academic study*. Security researchers at the University of Washington used web crawler technology to discover that around one in 20 executable files (5.5 per cent) offered for download on the net during a five month period contained some type of malware, mostly less malign code that generated invasive pop-up ads rather than more dangerous key-logging software. At the start of the May 2005 survey, 5.9 per cent of sites surveyed attempted to use security exploits to download spyware onto potentially vulnerable PCs. This figure for so called drive-by downloads dropped to 0.4 per cent by October 2005. Warez sites that offer pirated software topped the list for drive-by downloads (4.3 per cent of domains), with celeb sites (3.9 per cent) coming a close second. Although the density of scripted attacks dropped between May and October last year, spyware remains a substantial problem, the Washington researchers conclude..."
* http://www.cs.washington.edu/homes/g...spycrawler.pdf

:(

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=1126
Last Updated: 2006-02-16 04:03:36 UTC
"The proof of concept exploit for MS06-005 has been released. The exploit crafts a malicious BMP file to perform a buffer overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file as well (such as .wmp), it's a good idea to get it patched ASAP."
>>> http://www.microsoft.com/technet/sec.../MS06-005.mspx

- http://www.techweb.com/article/print...section=700028
February 16, 2006
"..."There are two exploits circulating," said Mike Puterbaugh, the vice president of marketing at eEye Digital Security, the Aliso Viejo, Calif.-based company which first uncovered the Media Player vulnerability. "One is somewhat minor, and can cause a denial-of-service, but the second we're taking far more seriously," said Puterbaugh. "It's 95 percent there as a propagated mass attack. "All the guy needs to do is add shell code to it to remotely exploit machines." The exploit, which was posted to the Bugtraq security mailing list is "minutes or days from being completed," Puterbaugh said. "The exploit hasn't been able to reliably write to the same part of memory every time, but once he gets that, it's game over"..."

- http://isc.sans.org/diary.php?storyid=1129
Last Updated: 2006-02-17 13:28:51 UTC
"The 'sploit writers have been busy. In the last 24 hours a total of four exploits have been released - two each for MS06-005 and MS06-006.
MS06-005 - Vulnerability in Windows Media Player Could Allow Remote Code Execution
MS06-006 - Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution ..."

Symantec ThreatCon Level is 2
- http://www.sarc.com/#
"The ThreatCon remains at Level 2 in light of proof-of-concept exploits released Friday for Microsoft Security Bulletins MS06-005 (BID 16633) and MS06-006 (BID 16644). Customers are advised to install appropriate updates as soon as possible..."