Chris Mosby at myITforum.com

Snort bypass vulnerability (NEW)

Published: 2006-05-31,
Last Updated: 2006-05-31 19:21:02 UTC by Jason Lam (Version: 1)

Demarc just released a vulnerability alert on Snort. The vulnerability leads to evasion of URI content rules. When a carriage return is added to the end of a URL (before HTTP protocol declaration), Snort detection can be evaded. According to the alert, this vulnerability will affect thousands of detection rules in the standard rule base. Thanks to Ben McDougall for reporting this to us.

Please refer to the vulnerability alert for more details,
http://www.demarc.com/support/downloads/patch_20060531

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Windows Live OneCare available now Posted by woody on 31 May 2006 - 07:19:05 Windows Patches/Security

Tell me if this burns you up. Microsoft just announced that the long-anticipated anti-virus/anti-everything service, Windows Live OneCare is now available for purchase. It's, uh, Live. The very first item on OneCare's main page? The Word 0day security hole I wrote about almost two weeks ago. Microsoft calls it "Exploit:Win32/Wordjmp" and identifies it as a "moderate" risk. So let me see if I understand this. Microsoft doesn't have the security patch for this particular hole ready. They may or may not release the patch on June's Patch Tuesday. But Microsoft will sell you protection, if you buy Windows Live OneCare, today. As John Dvorak wrote in his PC Mag column last October: Does Microsoft think it is going to get away with charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system? Does the existence of this not constitute an incredible conflict of interest? Why improve the base code when you can sell "protection"? Is Frank Nitti the new CEO? 'Tis a crazy world we live in....

Woody’s no-bull news, tips and help for Windows and Office..

More on Symantec vulnerabilities (NEW)

Published: 2006-05-31,
Last Updated: 2006-05-31 01:21:02 UTC by Bojan Zdrnja (Version: 1)

The latest patches from Symantec are causing quite a bit of confusion. To reiterate again what Kevin wrote in his diary (http://isc.sans.org/diary.php?storyid=1368):

*ALL* versions of 10.0.x and 10.1.x of Symantec Antivirus Corporate Edition and 3.0.x and 3.1.x of Symantec Client Security seem to be vulnerable.
Symantec Antivirus Corporate Edition version 8.x and 9.x seem to be ok.

Symantec released 4 patches for each product (http://www.symantec.com/avcenter/security/Content/2006.05.25.html):

Symantec Antivirus Corporate Edition
10.1.0.394 -> 10.1.0.396 (there's a typo here on their web, it's not version 3)
10.1.0.400 -> 10.1.0.401
10.0.2.2010 -> 10.0.2.2011
10.0.2.2020 -> 10.0.2.2021

Symantec Client Security
3.1.0.394 -> 3.1.0.396
3.1.0.400 -> 3.1.0.401
3.0.2.2010 -> 3.0.2.2011
3.0.2.2020 -> 3.0.2.2021

Now, if you are running *ANY* other version that is affected, you will have to first upgrade to one of the versions that have the patch out and then install the patch. I hope this will clear the confusion.

There seem to be some mitigations to the problem though. As eEye stated, this is a remotely exploitable vulnerability. Symantec Antivirus Corporate Edition, when in managed mode, will have the service Rtvscan.exe listening on TCP port 2967. In case that your host based firewall is configured to block access to this port (effectively meaning that you can't manage the client from the centralized server, at least not until the client connects to it) you should be ok.
On our test machine, the unmanaged installation of Symantec Antivirus Corporate Edition didn't have any listeners so it looks like it's safe, at least from a remote exploit over the network (patch in any case!).

If we get more information we'll update the diary. Thanks to Gary for help with this.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Symantec AV Vulnerability Latest

Published: 2006-05-29,
Last Updated: 2006-05-29 21:21:41 UTC by Kevin Liston (Version: 2(click to highlight changes))

Symantec has updated their advisory (http://www.symantec.com/avcenter/security/Content/2006.05.25.html)

They confirm that the following versions are affected:
Symantec Client Security-
   3.0 all builds
   3.1 all builds
Symantec Antivirus Corporate Edition-
   10.0 all builds
   10.1 all builds

The following patches are available:
Symantec Client Security-
   3.0 Builds 3.0.2.2010 and 3.0.2.2020
   3.1 Builds 3.1.0.394 and 3.1.0.400

Symantec Antivirus Corporate Edition-
   10.0 Builds 10.0.2.2010 and 10.0.2.2020
   10.1 Builds 10.1.0.394 and 10.1.0.400

Symantec recommends that you upgrade to a "patchable" version.  This may be bad news for some organizations.

Some have reported that the patching process is not trivial, and can be difficult to roll out in some environments.

At this time, there have been no reports of proof-of-concept-code or exploit code other than that held privately by eEye.

We have not received any reports of exploitation in the wild.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Link to 'a new Microsoft patch' being spammed (NEW)

Published: 2006-05-30,
Last Updated: 2006-05-30 02:19:26 UTC by Bojan Zdrnja (Version: 1)

We've received samples of an e-mail which is being actively spammed at the moment. The e-mail purports to be from Microsoft and it is notifying the recipient of "a new vulnerability [that] has been discovered in the Microsoft WinLogon Service". It further states that the vulnerability can allow an attacker access to the unpatched system.

Of course, the user is advised to install the patch which can be downloaded from the included link.

As the e-mail body is an HTML message, the displayed link (http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe) is not where the user will really be sent:

http:// www.redcallao.com/ [REMOVED] / winlogon_patchV1.12.exe

At the time when this diary was written, the site was still up and serving malware. AV detection although a better then first time when we tried it, is still pretty bad. Only 8 products from VirusTotal detected this:

AntiVir     6.34.1.34   05.29.2006    Heuristic/Crypted.Modified
BitDefender 7.2         05.30.2006    Trojan.BeastPWS.C
Kaspersky   4.0.2.24    05.30.2006    Trojan-Spy.Win32.Delf.jq
NOD32v2     1.1566      05.30.2006    Win32/Spy.Delf.NBR
Panda       9.0.0.4     05.29.2006    Suspicious file
Sophos      4.05.0      05.30.2006    Troj/BeastPWS-C
Symantec    8.0         05.30.2006    Infostealer

Does all this sound familiar? Sure, it's (almost) the same story that the Swen worm (or Gibe.F) tried to "sell" to the users. Hopefully this one will not come close to doing what Swen did.
.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

http://www.symantec.com/avcenter/venc/data/w32.mytob@mm.removal.tool.html

Cogent Routing Outages (NEW)

Published: 2006-05-24,
Last Updated: 2006-05-24 11:55:40 UTC by Johannes Ullrich (Version: 2(click to highlight changes))

This morning (shortly after 9am UTC, 5am EDT), Cogent experienced an outage resulting in many sites being not reachable. Things are slowly coming back together. Some sites may still not yet be reachable.

Keynote shows issues between Cogent and almost all of its peers, as well as some isolated issued with Savvis.
http://scoreboard.keynote.com/scoreboard/Main.aspx?Login=Y&Username=public&Password=public

Note: Cogent's URL is 'cogentco.com', NOT 'cogent.com'.

Screen shot from Keynote as of 07:50 EDT (11:50 UTC):

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 

Halliburton, Bechtel could be factors in border security plan

By Mike Sunnucks

The Business Journal of Phoenix

Updated: 7:00 p.m. ET May 21, 2006

Two big and controversial corporate names -- Halliburton and Bechtel -- could benefit from mammoth increases in federal spending on border security.

Federal and state efforts to bolster porous border security include plans for increased security infrastructure, expanded use of technology, including radar. Other plans include construction of more prison beds, and additional law enforcement operations, security roads and improved employment verification systems and ports of entry.

That will mean billions of dollars in border-related contract opportunities for defense, technology and other government contractors. A substantial number of border security contracts are expected to go to major contractors -- including big infrastructure, construction and contract management experts such as Halliburton Co. and Bechtel Corp.

"It's the big boys that will benefit from this," said Congressman Ed Pastor, a Phoenix Democrat. "Most of the big contracts are going to go out to the Halliburtons and Bechtels."

Those two companies are well-known for being politically connected and have received top infrastructure, energy and construction management contracts in Iraq. They also have critics who worry about their political ties to the Bush administration and Washington, D.C., power brokers.

Houston-based Halliburton formerly was headed by Vice President *** Cheney, and its subsidiary KBR (Kellogg Brown & Root) constructed the post-9/11 terrorist jail cells at the U.S. Naval Base at Guantanamo Bay, Cuba. KBR already won one contract to build more prison facilities to help with border enforcement.

Those two companies specialize in large infrastructure and construction-related contracts. Various border security plans call for construction of security fences and walls, new roads and equipment for the resource-challenged U.S. Border Patrol, technology surveillance applications and more law enforcement offices, checkpoints and jail cells to house illegal migrants caught crossing the border as well as drug traffickers and other smugglers.

Pastor said large contractors often get awarded comprehensive federal contracts when there is a rush to get quick movement on a matter. Those contractors then can dole out subcontracts to specialty firms and subcontractors.

Halliburton, Bechtel could be factors in border security plan - Top Stories - MSNBC.com.

Update on Word 0-Day Issue (NEW)

Published: 2006-05-23,
Last Updated: 2006-05-23 12:19:28 UTC by David Goldsmith (Version: 1)

Microsoft and eEye have each released advisories related to the issue this evening.

Microsoft's security advisory can be found here.

eEye's advisory can be found here.

The information about vulnerable exploits differs a little between the two advisories.

Microsoft says the vulnerability only affects Word 2002/XP and Word 2003 and that Word 2000 is not vulnerable. The Microsoft advisory contains information on workarounds including not using Word as the default mail editor in Outlook and running Word in 'Safe Mode' to disable the functionality that is affected by the vulnerability and exploit.

eEye says that the vulnerability affects Word 2000 as well.  The eEye advisory mentions that they believe there are two variants of this exploit.  Thus, it may be that the first variant only affects Word 2002/XP and 2003 and the second variant affects all three versions.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Targeted attack: experience from the trenches

Published: 2006-05-21,
Last Updated: 2006-05-21 18:32:42 UTC by Swa Frantzen (Version: 3(click to highlight changes))

Learn

Learning lessons from incidents is a very important part of incident handling. Yet with targeted attacks it is very hard as you need to have a case before you can learn. So learning from others is even more important in this case.

Michael reported on an unnamed organization being hit by a limited, extremely targeted attack.

Detection is mostly the very hard part in these attacks. This case seems to have been detected by a very alert user detecting a domainname in an email that wasn't completely right.

That user detected an email coming in that originated from a domain that looked like their own, but wasn't their own (actually only had an MX record in it). The email was written to look like an internal email, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.

FUD ?

In reaction to this reporting we've seen people react to it like it were a widespread thing. We need to stress this is not the case. This kind of attack is new, and so must the response be.

The group originating these attacks does so in a very targeted fashion. The document is crafted to target a specific organization, containing specific elements that deal with just that one organization. If you don't work for them, you are very unlikely to ever see this. Proof of how rare it is, are the number of requests for samples we got from companies like anti-virus vendors.

Chances are really huge you're not targeted, at least not by this exploit. There is so far one group doing (at least) one very targeted attacks with this. Either they need to change their method of operation to do widespread attacks, or some other group would need to get a sample, reverse engineer it, find the core of the exploit, modify it to work in a wider fashion and launch a new attack.

So do you need to dig in now? Most likely not, we suggest you act as if it's any new vulnerability where the details are still very well hidden.

• The one being targeted organization needs specific actions.
  
• If you are on the potential target list, you need to learn to defend against the unknown, not against this threat.
  
• If you're not on their target list, chances are you will not see an exploit till Microsoft releases a patch and the knowledge to exploit it can be derived by the hackers.

Panic and blindly taking actions is probably the worst course of action you can take.

Report

To say it in Michael's words:

"Emails were sent to specific individuals within the organization that contained a Microsoft Word attachment. This attachment, when opened, exploited a previously-unknown vulnerability in Microsoft Word (verified against a fully-patched system).  The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed.  After extracting and launching the trojan, the exploit then overwrote the original Word document with a "clean" (not infected) copy from payload in the original infected document.  As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file.  If the user agrees, the new "clean" file is opened without incident." They are working with Microsoft on this.

"We are still analyzing the trojan dropped by the exploit.  What we do know is that it communicates back to localhosts[dot]3322[dot]org via HTTP.  It is proxy-aware, and "pings" this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute.  It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows".  Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.

We have traced nearly this attack to the far east; specifically, China and Taiwan.  IP's seen are registered there, domains seen are registered there, and the emails received originated from a server in that region.  The attackers appear to be aware that they have been "outed", and have been routinely changing the IP address associated with the URL above.

Due to the aggravating circumstances (0-day, no AV detection), we wanted to make sure the community is aware that this problem exists as soon as possible."

More information:

• Analysis and vendor information
• Defenses
• Summary

Many thanks to all handlers active on this: Johannes, Chris, William, Adrien.

--
Swa Frantzen - Section 66

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

3322, 8866 and others	Posted by Mikko @ 21:02 GMT

There's been quite a lot of buzz about the new 0-day Word vulnerability.

While talking about details of the vulnerability, it's easy to forget what the vulnerability was actually used for.

According to the information we have, a US-based company was targeted with emails that were sent to the company from the outside but were spoofed to look like internal emails.

The emails contained a Word DOC file as an attachment. DOCs are a nasty attack vector. Few years ago, when macro viruses were the number one problem, many companies were not allowing native DOC files through their email gateways. Now that has changed, and DOCs typically get through just fine. But Word has vulnerabilities and users typically don't install Word patches nearly as well Windows patches.

When run, the exploit file ran a backdoor, hid it with a rootkit and allowed unrestricted access to the machine for the attackers, operating from a host registered under the Chinese 3322.org domain.

3322.org is a free host bouncing service in China. Anybody can register any host name under 3322.org (like whatever.3322.org) and the service will point that hostname to any IP address you want. There's actually a series of such services, including 8866.org, 2288.org, 6600.org, 7700.org, 8800.org and 9966.org. There are tons of useful things you can do with such host-resolving service. And tons of bad things too.

Now, we've seen these kinds of attack before.

In March 2005, somebody was sending out dozens of emails to US government email addresses, spoofed to be from Washington Post. The email content talked about "international IPR conventions China has acceded to". The attached DOC file dropped a backdoor that connected to a host under 8866.org.

In September 2005, somebody sent several batches of EU-themed emails to addresses at the EU Parliament. Email topics included "Parliamentary Assembly", "Assembly of Council of Europe" and "Parliamentary Assembly Declaration". Emails contained a DOC that connected to a host under 3322.org.

In March 2006, a big European company received emails that were spoofed to look like internal job applications. The attached DOC file dropped a backdoor that connected to a host under 3322.org.

In April 2006, another European company was targeted by a similar attack, this time connecting to a host under 8866.org.

And now in May 2006, this latest case complete with a zero-day exploit, connecting to a host under 3322.org.

So, should you block access to hosts under 3322.org, 8866.org and others? Depends. It's kind of like blocking access to Geocities: you'd block lots of bad stuff - and lots of good stuff. But then again, most users of these services are in China. If you're not in China and your users are not supposed to access different Chinese services, blocking might not break too many things.

We'd recommend you'd at least check your company's gateway logs to see what kind of traffic you have to such services.

F-Secure : News from the Lab - May of 2006.

A quick check-in on the Word vulnerability

Hi everyone, Stephen Toulouse here again.  I wanted to catch you up on where we’re at with our investigation of the Word vulnerability. 

 

First off on the vulnerability itself: I want to reiterate we’re hard at work on an update.  The attack vector here is Word documents attached to an email or otherwise delivered to a user’s computer.  The user would have to open it first for anything to happen.  That information isn’t meant to say the issue isn’t serious, it’s just meant to clearly denote the scope of the threat.

 

Now, we’ve received singular reports of attacks and have been working directly with the couple of customers thus far affected.  In analyzing the malware we’ve added detection to the Windows Live Safety Center, and we’ve passed all that information over to our antivirus partners.  But in breaking down the current malware we discovered some commonality to the current attack.  The attack we’ve seen is email based.  The emails tend to arrive in groups, they often have fake domains that are similar to real domains of the targets, but the targets are valid email addresses. 

 

Currently two of the subject lines we have seen are: 

 

Notice

RE Plan for final agreement

 

The attack we have seen so far requires admin rights, so limitations on user accounts can help here.  I want to repeat that customers who believe they are affected can contact Product Support Services.  You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:

http://support.microsoft.com/security.

 

So far, this is a *very* limited attack, and most of our antivirus partners are rating this as “low”.  But we’re working to investigate any variants we might see to make sure detection is out there, as well as working on the update to address the vulnerability.

 

S. 

 

PS: Michael Howard recently wrote a great article for not running as admin.  It can be found here:  http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure01182005.asp

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Published Saturday, May 20, 2006 9:03 PM by stepto

Welcome to the Microsoft Security Response Center Blog! : A quick check-in on the Word vulnerability.

Microsoft Word Vulnerability (NEW)

Published: 2006-05-20,
Last Updated: 2006-05-21 02:05:23 UTC by Koon Tan (Version: 1)

Most anti-virus vendors have already come out with signatures to detect the malware exploiting MS Word vulnerability. By now, I hope you have got all your AV signatures updated. Although relying on virus scanner is not totally full proof (especially on new variants), but it is better than none (remember defense-in-depth).

At your firewall and IDS, you may want to monitor outbound traffic going to these domains, as this may be an indication of compromised hosts:

3322.org
scfzf.xicp.net

If you are filtering Word attachment at your gateway, it should be based on Word file type and not just on file extension alone.

US CERT has released an security alert on Microsoft Word Vulnerability

Below are stories from ISC on this topic. We will update as we have more detailed information.

Word 0-day, recommended defenses

Targeted attack: Word exploit
- More AV vendor links have been added.

Targeted attack: experience from the trenches

(Update)
Miscrosoft has put up a new article on A quick check-in on the Word vulnerability (Thanks Juha-Matti). Part of the article is extracted below:

First off on the vulnerability itself: I want to reiterate we're hard at work on an update.  The attack vector here is Word documents attached to an email or otherwise delivered to a user's computer.  The user would have to open it first for anything to happen.  That information isn't meant to say the issue isn't serious, it's just meant to clearly denote the scope of the threat.

Now, we've received singular reports of attacks and have been working directly with the couple of customers thus far affected.  In analyzing the malware we've added detection to the Windows Live Safety Center, and we've passed all that information over to our antivirus partners.  But in breaking down the current malware we discovered some commonality to the current attack.  The attack we've seen is email based.  The emails tend to arrive in groups, they often have fake domains that are similar to real domains of the targets, but the targets are valid email addresses. 

Currently two of the subject lines we have seen are: 

Notice
RE Plan for final agreement

The attack we have seen so far requires admin rights, so limitations on user accounts can help here.  I want to repeat that customers who believe they are affected can contact Product Support Services.  You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:

http://support.microsoft.com/security.

So far, this is a *very* limited attack, and most of our antivirus partners are rating this as "low".  But we're working to investigate any variants we might see to make sure detection is out there, as well as working on the update to address the vulnerability.

 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Well I was finally able to get enough of my comic blog database up and running (with no help from my OLD webhost I might add) from backup to be able to recreate most of what is there.  It should look pretty much identical to what it did before it went down five days ago.

You can check it out at its new location: http://www.talesfromthelongbox.com/