If you have ever visited ThinkGeek.com you know that they have quality products with geeks in mind.  Here is a good example of some of the products that are new on their website.

RFID Blocking Kit T-shirt

Zoom

Free! Only While Supplies last!

Yes, you read it right, but don't be fooled, this is a special deal for a limited time only! Be part of the exclusive club of geeks who own this one-of-a-kind t-shirt with our patented embedded RFID-blocking technology! Hurry up though, this offer is only good through Monday April 3, 2006 or while supplies last.

Why would you want your very own RFID-blocking t-shirt? Well to protect yourself from prying scanners of course. In the event of a privacy emergency, simply cut out the RFID "blocking" device and place on top of the RFID chip being scanned. The result is peace of mind in an instant, for only the cost of a gaping hole in your shirt.

So hurry up and get our limited edition RFID Blocking Kit T-shirt. Here's how you score one:

iZilla Media Monster

Zoom

Two Terrabyes Of Digital Media Euphoria

Tromping through the streets of downtown Tokyo... crunching tiny white audio players underfoot comes the iZilla. If you've been looking to step-up to a hungry man sized portable media player with incredible tech powers... this is it. First start with a whopping two terabytes of storage delivered by four 500 gig internal hard drives. Up the ante with a sweet 7" TFT-LCD touch screen... then crush your opponents with high-speed ripping capability for CD, DVD, and vinyl. A handy iPod dock allows you to transfer songs to and from the iZilla.

Listen to the iZilla roar through the internal six speaker surround system offering 5.1 channel surround sound with up to 120 watts per channel. Or enjoy your music privately with the included DJ-Style wireless bluetooth headphones up to 15 feet away. Built in wi-fi (802.11g), Gigabit Ethernet, Firewire and USB 2.0 ports ensure the maximum capability to transfer your tunes and video to external hard drives and computers.

Take the iZilla with you anywhere. It's like having an entire home entertainment system in a handy 30 pound white briefcase. The iZilla can be powered by a standard 120VAC wall outlet, or runs off 16 D size batteries (not included).

USB Desktop Tanning Center

Zoom

Zoom

New Bagle, new trick	Posted by Mikko @ 19:27 GMT

First things first: admins, block http access from your network to endoliteindia.com.

We saw a new Bagle run start tonight. As usual, it was started by posting a new, undetected downloader to one of the dozens of URLs the already-infected Bagle machines are constantly polling.

The difference this time is that every four minutes the link returns a different binary. Different size, different MD5. This is accomplished by repacking the same file with ASProtect again and again.

We are now detecting these as "W32/Bagle.GI". However, the contents keep changing.

To make a long story short: block access to this download site. It's at endoliteindia.com - a hacked web server in India. Abuse messages to the site and the upstream ISP have been sent.

Updated to add: At around 19:45 GMT, the download link died. Now it just returns 403 Forbidden, which is great. We never got replies to our abuse reports, but perhaps somebody took action. Or perhaps the Bagle gang did this themselves.

  Resolving endoliteindia.com... 64.38.19.50
  Connecting to endoliteindia.com[64.38.19.50]:80... connected.
  HTTP request sent, awaiting response... 403 Forbidden
  22:16:51 ERROR 403: Forbidden.

F-Secure : News from the Lab - March of 2006.

Thursday, March 30, 2006

Hey, TYPE-YOUR-CREDIT-CARD-NUMBER-HERE.COM is available for registration!	Posted by Mikko @ 14:00 GMT

Being curious about phishing, we decided to look into the number of domains
that mimic banks. Just how many are out there? Well, lots.

We did a simple search across com/net/org/us/biz/info top-level domains for common bank names.

Keyword	Number of domains
citibank*	497
bankofamerica*	407
lloyds*	994
bnpparibas*	41
egold*	691
hsbc*	1258
chase*	6470
paypal*	1634
ebay*	8057

Some examples of existing, active registrations, using citibank as an example:

  citibank-america.com
  citibank-credicard.com
  citibank-credit-card.com
  citibank-credit-cards.com
  citibank-account-updating.com
  citibank-creditcard.com
  citibank-loans.com
  citibank-login.com
  citibank-online-security.com
  citibank-secure.com
  citibank-site.com
  citibank-sucks.com
  citibank-update.com
  citibank-updateinfo.com
  citibank-updating.com
  citibankaccount.com
  citibankaccountonline.com
  citibankaccounts.com
  citibankaccountsonline.com
  citibankbank.com

Some of these probably perfectly legitimate. Others probably are not...like citibank-account-updating.com, registered last Friday to Ms. Evelyn Musa in Arlington, VA?

F-Secure : News from the Lab - March of 2006.

Microsoft Altering ActiveX in Next Set of Patches (NEW)

Published: 2006-03-30,
Last Updated: 2006-03-30 10:43:03 UTC by Ed Skoudis (Version: 1)

We've gotten several e-mails from diligent readers (Thank you, Juha-Matti, Richard, and others) about Microsoft's plans to alter the way ActiveX controls work in a non-security related update associated with some legal imbroglio.  According to Microsoft:

"So [On April 11] when we release the next cumulative IE security update [which will also include the non-security update associated with ActiveX], customers will only be able to interact with Microsoft ActiveX controls loaded in certain web pages after manually activating their user interfaces by clicking on it or using the TAB key and ENTER key."

That's not the end of the world, but it is worth noting.

What does this mean to you?  On April 11, some of your ActiveX controls may stop working.  You can test this new IE voodoo by downloading an optional patch for IE from Windows Update.  Microsoft will have a tool (a retro-patch?) for making IE behave like it does now, but that tool will only be supported through the June updates.

For more information, check out this advisory for the details, or the newly added section to the FAQ (as of yesterday) to this advisory, and read this blog posting from a Microsoft employee working this issue.  The blog posting includes specific advice for enterprise users (in summary... test!) and for consumers (in summary... use Windows Update and be happy!)

--Ed Skoudis.
Intelguardians

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

There are some publicly available 3rd party patches available for the createTextRange() bug. However, we recommend waiting for the official fix from Microsoft. Before the patch is available, one workaround is to disable the Active scripting from Internet Explorer.

Detailed instructions on how to do this can be read from the Microsoft advisory under Suggested Actions / Workarounds. Here's a screenshot of the procedure:

When the Active scripting is set to "Prompt", the prompting might look like this:

F-Secure : News from the Lab - March of 2006.

Am I the only one that finds this just a little bit funny??  

NASCAR.COM - Gordon fined $10K for incident with Kenseth - Mar 28, 2006.

Gordon fined $10K for incident with Kenseth

Veteran says he's through worrying about what people think of him

By David Newton, NASCAR.COM
March 28, 2006
05:08 PM EST (22:08 GMT)

Posted Wednesday, March 29, 2006 10:56 AM by cmosby | with no comments

Filed under: NASCAR

Microsoft Security Advisory Notification - March 28, 2006

Security Advisories Updated Today

==============================================

* Microsoft Security Advisory (917077)

- Title: Vulnerability in the way HTML Objects Handle

Unexpected Method Calls Could Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/917077.mspx

- Revision Note: Advisory updated with information regarding additional security software protections, current limited

scope of attacks, and the status of the Internet Explorer security update.

********************************************************************

Posted Tuesday, March 28, 2006 6:25 PM by cmosby | with no comments

Filed under: Security and Anti-Virus, Patch Management, Browser Wars, Internet Explorer

SANS - Internet Storm Center - Temporary Patches for createTextRange Vulnerability

 

Temporary Patches for createTextRange Vulnerability (NEW)

Published: 2006-03-28,
Last Updated: 2006-03-28 12:24:34 UTC by Johannes Ullrich (Version: 1)

Eeye released a temporary patch for the current createTextRange vulnerability. The patch can be found here:
  http://www.eeye.com/html/research/alerts/AL20060324.html. A second patch has been made available by Determina.

At this point, we do not recommend applying this temporary patch for a number of reasons:

• The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.
  
• We have not been able to vet the patch. However, source code is available for the Eeye patch, so you can do so yourself. Determina has not released source code at this point.
  
• Exploit attempts are so far limited. But this could change at any time.

Some specific cases may require you to apply the third party patch. For example, if you are required to use several third party web sites which only function with Internet Explorer and Active Scripting turned on. In this case, we ask you to test the patch first in your environment. You may also want to consider contacting Microsoft. Microsoft may not be aware of the importance of security to its customers.

We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.

Please let us know about issues (or successful installs) of either patch. We will summarize issues here.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Posted Tuesday, March 28, 2006 11:13 AM by cmosby | with no comments

SANS - Internet Storm Center - Updates on IE vulnerability

Updates on IE vulnerability (NEW)

Published: 2006-03-27,
Last Updated: 2006-03-27 14:14:29 UTC by Pedro Bueno (Version: 1)

Our reader Juha-Matti pointed that MS updated its blog with informations about the patch and some advices for users:
"I want to reiterate that the IE team has the update in process right now and if warranted we'll release that as soon as it's ready to protect customers (right now our testing plan has it ready in time for the April update release cycle).  But if you're concerned you may be impacted, now you can visit http://safety.live.com to scan your machine and remove current attacks using this vulnerability."

Altough they say that are seeing only limited attacks, we have some reports of more than 100 sites (Saturday data) exploring this vulnerability, to install bots, keyloggers...

Update:
Btw, just to be clear about the safety live com thing, it offers some protection, but it can only protect you in known malware with signatures...It is not protecting you against the IE vulnerability...

Update2:
The number of sites are now over 200...

-------------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Posted Monday, March 27, 2006 12:04 PM by cmosby | with no comments

Filed under: Security and Anti-Virus, Patch Management, Browser Wars, Internet Explorer

F-Secure : News from the Lab - Internet Explorer exploits in the wild

Jeff Gordon says the person that NASCAR fined $10,000 on Tuesday for shoving Matt Kenseth after Sunday's race at Bristol Motor Speedway is closer to who he is than what fans have seen. Gordon, also placed on probation until Aug. 30, 2006, took a two-handed jab at Kenseth on pit road when Kenseth approached him to explain the bump that sent the four-time Nextel Cup champion from third place to 21st on the final lap.

Internet Explorer exploits in the wild	Posted by Jarkko @ 14:10 GMT

We've received some reports about the recent unpatched Internet Explorer vulnerability being exploited in the wild. The exploits are based on publicly available proof-of-concept code which exploits the processing of createTextRange() function.

At the moment, there's no patch for the vulnerabilities. Please read the following links for more detailed information about the vulnerability and possible workarounds:

http://www.securityfocus.com/bid/17196/info
http://www.microsoft.com/technet/security/advisory/917077.mspx
http://secunia.com/advisories/18680/

F-Secure Anti-virus detects HTML pages containing the exploit code as variants of Exploit.JS.CVE-2006-1359.

F-Secure : News from the Lab - March of 2006.

 

Email attachment vector for IE createTextRange() Remote Command Execution (NEW)

Published: 2006-03-26,
Last Updated: 2006-03-27 00:43:05 UTC by Patrick Nolan (Version: 1)

Just for the sake of clarity, there is an email attachment vector for this exploit that's not widely reported. I have not seen any reports of it being used at this time. MS's bulletin, in the FAQ's, in "Could this vulnerability be exploited through e-mail?", says it can be exploited if one "open(s) an attachment that could exploit the vulnerability." ISS obliquely says attacks may occur by "...simply embedding the required logic in specially crafted HTML emails.".

Note - My Outlook Web Access runs in the Local intranet Zone, and MS's suggested workaround for this IE Zone is change the Local intranet setting to prompt or disable for Active Script, or just crank the zone security setting to high for prompting.

HTML attachments, the IE Local Machine Zone Lockdown

According to MS, "Web pages accessed from the local computer are placed in the Local Machine zone" and "The Local Machine zone is an Internet Explorer security zone, but is not displayed in the settings for Internet Explorer.". "In Windows XP Service Pack 2, all local files and content that is processed by Internet Explorer has additional security applied to it in the Local Machine zone.".

"Specifically, these settings are:

URLACTION_ACTIVEX_ RUN resolves to Disallow.
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY resolves to Disallow.
URLACTION_SCRIPT_ RUN resolves to Prompt.
URLACTION_CROSS_DOMAIN_ DATA resolves to Prompt.
URLACTION_BINARY_BEHAVIORS_BLOCK resolves to Disallow.
URLACTION_JAVA_PERMISSIONS resolves to Disallow.".

Since "script in local HTML pages viewed inside of Internet Explorer prompts the user for permission to run", disallowing HTML attachments might be worth considering.

In addition, keeping gateway email AV sigs up to date is advisable. Drop us a note if you notice attacks coming at you via email. Thanks!

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Modified Malware for the IE Expoit

Published: 2006-03-26,
Last Updated: 2006-03-26 02:35:18 UTC by Lorna Hutcheson (Version: 1)

Its always interesting around the ISC and you'll never know what you'll be handed on any given day.  Its even more interesting when there is an unpatched IE vulnerability and an exploit available for it.  That is where we find ourselves now.  There are several sites that have been compromised and now contain the exploit code.  These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it.  It is calc.exe that we want to focus on briefly.

This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process.  The malware creates the following on install:

C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636

It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information it can get from the  Let's look at what is in the files.  The information I'm about to show is from my VM box, so it won't get you anywhere:>)

File: ipcfg636

Windows 2000 IP Configuration
    Host Name . . . . . . . . . . . . : vmwindows2k
    Primary DNS Suffix  . . . . . . . :
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
    Physical Address. . . . . . . . . : 00-0C-29-16-36-AB
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.227.128
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :

File:  start636

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
  TCP    192.168.227.128:139    0.0.0.0:0       LISTENING
  UDP    0.0.0.0:135            *:*                   
  UDP    0.0.0.0:445            *:*                   
  UDP    0.0.0.0:1026           *:*                   
  UDP    192.168.227.128:137    *:*                   
  UDP    192.168.227.128:138    *:*                   
  UDP    192.168.227.128:500    *:*                   


File:  tmp636

    Protected Storage settings / PWL:
InfoDelivery
IdentityMgr
        IdentitiesPass    ::::€:Ï»b[
    HASH values:
Administrator:500:AF6E956C6F6836C4F3F9505A2D0958A7:0B14980C258F0D7178186CE65030A4A6:Built-in account for administering the computer/domain::
Guest:501:********************************:********************************:Built-in account for guest access to the computer/domain::
    RAS:
Total 0 entries
    Network settings:

File:  view636

Server Name            Remark

-------------------------------------------------------------------------------
\\VMWINDOWS2K                                                                 
The command completed successfully.

File:  Sub.txt

res://C:\WINNT\system32\shdoclc.dll/dnserror.htm#http://www.msn.com/
http://winxphome/index.html
http://winxphome/index.html
http://winxphome/index.html
email=lorna.hutcheson@somewhere.com
pw=password
pw-conf=password


The malware FTP's all the information out to a location.  It also has email capability.  The location given by McAfee in their writeup found here was as follows:  "The trojan attempts to upload harvested information to an FTP server (66.242.129.251)."  However, when I downloaded the malware and looked at it that was not the location I found in the strings.  I found:

0040F530   ASCII "200.182.57.13",0
0040F630   ASCII "21",0

So its seems that the malware has been swamped for a new version with the FTP server portion being changed.  I have not observed it attempting to FTP yet, still waiting with a sniffer running.  The strings also contained the username and password for the new site.  The file on the new IP  is now encrypted and the file wasn't before on the first FTP site.  So the individual seems to realize that folks are on to them.  I'm pretty sure that the malware has just been changed since its easier to modify the malware and where it FTPs to than to go back to all the hacked sites.

Anyway, please keep your eyes and ears open for any new sites exploiting this vulnerability!  As always, be careful its a jungle out there!

Lorna J. Hutcheson
CACI

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

The blogs at myITforum, Inc. have been upgraded and the blog address has changed.  You can find me here: http://myitforum.com/cs2/blogs/cmosby/default.aspx

Come by and check out the new system!!

 

IE exploit on the loose, going to yellow

Published: 2006-03-24,
Last Updated: 2006-03-24 18:29:57 UTC by Jim Clausing (Version: 2(click to highlight changes))

Update: We just received a report that a particular site uses the "createTextRange" vulnerability to install a spybot variant. It is a minor site with insignificant visitor numbers according to Netcraft's "Site rank".

The Bleedingsnort rule has been updated. It has been tested against that particular version of the exploit and works for it. For details, see this set of rules (last one is the 'createTextRange' rule).

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

- Web site: http://go.microsoft.com/fwlink/?LinkId=63915

- Web site: http://go.microsoft.com/fwlink/?LinkId=59550