Another IE Exploit makes the rounds...
We received a report from Gilbert Sebenste, a reader of ISC, (thanks!) of a new IE bug. Discovered Monday (or rather, published on Monday), and has been apparently assigned CVE number 2006-4446, that the bug only affects IE 6.0 SP1, according to Bugtraq.
So, we've said it before, and we'll say it again. Yes, sometimes it's not practical to switch off of IE, but where you can... do. Diversify I say! Even though Mac users aren't affected, use your Safari, Firefox, Opera...
Windows users.. check out Firefox, Opera, and whatever other nice browsers you can throw out there. (I'm a Mac/*nix/*bsd user, so I am not familiar with all the Windows offerings) IE is riddled with countless holes and bugs, so, try and use something else.
Reader Ottmar followed up on this article with a suggestion for folks that just can't follow the advise above and want to try and make the best of the situation with using IE. With respect to this specific issue and other ActiveX based vulnerabilities in IE, the following Microsoft article explains how to modify the registry to kill ActiveX controls from running. Since this does involve modifying the registry, user beware! Without further ado, the Microsoft article can be found here.
----------------
Joel Esler
jesler{at}isc.sans.org
So, we've said it before, and we'll say it again. Yes, sometimes it's not practical to switch off of IE, but where you can... do. Diversify I say! Even though Mac users aren't affected, use your Safari, Firefox, Opera...
Windows users.. check out Firefox, Opera, and whatever other nice browsers you can throw out there. (I'm a Mac/*nix/*bsd user, so I am not familiar with all the Windows offerings) IE is riddled with countless holes and bugs, so, try and use something else.
Reader Ottmar followed up on this article with a suggestion for folks that just can't follow the advise above and want to try and make the best of the situation with using IE. With respect to this specific issue and other ActiveX based vulnerabilities in IE, the following Microsoft article explains how to modify the registry to kill ActiveX controls from running. Since this does involve modifying the registry, user beware! Without further ado, the Microsoft article can be found here.
----------------
Joel Esler
jesler{at}isc.sans.org
Keywords:
0 comment(s)
Mailbag grab
Security book online
Ryan sent us a link to an on-line book:Security Engineering: A Guide to Building Dependable Distributed Systems
by Ross Anderson
http://www.cl.cam.ac.uk/~rja14/book.html
But I guess you'll need to come back in a few days before you can get in and download it.
It is a good book well worth reading and I for one really like the attitude of the author.
RFC 1918
Jon send as traffic to and from 10.x.y.z going over the Internet. It reminded us to filter that traffic away on your borders. There is no good such IP addresses (and any other mentioned in RFC 1918) can do out there. Dropping the traffic in ingress/egress filters is the right thing to do (also for the ISPs involved).MS06-040
We got a few contacts from Canada, and some clarification regarding the MS06-040 bots might be needed:- This is not an isolated issue. Several entities in various geographic locations are being hit.
- This is not the only such bots. There are many similar bots and it is not trivial to tell them apart unless you actually have the malware and the time to analyse it in detail.
- In most countries, the Internet is global: packets do not stop for customs or immigration ;-). Since most botnet herders are in it for the money so far, they don't really care about countries either.
Old school virus
Symantec has a writeup of what they call a new worm. The virus copies itself to removable storage. Nice to see an old school virus for a change in this bot infected world.A good reminder to keep the Anti-Virus software scanning removable media as they are loaded.
Blocked traffic
John wrote it to say he saw attempted traffic from a netblock we suggested to block a while ago that looked like it was trying to hammer him with DNS. We don't know what's going on, but it's one of those indications to continue to block them or at least carefully watch what they are up to.--
Swa Frantzen -- Section 66
Keywords: mailbag
0 comment(s)
Tip of the Day: Audit
As the last in the series of tips of the day, I chose the subject Audit.
Audits might sound scary as they verify your work, but they really should not. They can be a great tool into doing the right thing and catching (and correcting) errors before they escalate and become a problem. As a matter of fact, you can audit your own work. Or do it in a team. We all know we cannot find errors in stuff we wrote ourselves while it's obvious if somebody else wrote it.
Typically this starts with regulatory and legal requirements, but it can check compliance with standards as well.
As soon as you know what to look for, you can automate it in less time than you do it manually once.
So that leaves?
--
Swa Frantzen -- Section 66
Audits might sound scary as they verify your work, but they really should not. They can be a great tool into doing the right thing and catching (and correcting) errors before they escalate and become a problem. As a matter of fact, you can audit your own work. Or do it in a team. We all know we cannot find errors in stuff we wrote ourselves while it's obvious if somebody else wrote it.
Audit yourself/co-worker
You can do various audits yourself of your work:- Are backups actually able to be read?
- Can we actually restore a backup from a system if we loose all the harddisks or are we missing information?
- Are the dates/sizes of system files on all our computers still the same (poor man HIDS, but it can also detect failed patches etc.)
- Do logs from all our systems actually end up in our central log repository?
- Did managment acknowledge all incident reports you gave them? Where there changes implemented due to the incidents?
- Do we have blocklists? Do we update them regularly? Did we check if they are still relevant?
- Exposed scripts (such as e.g. cgi-bin perl scritps)? Who reviewed them for security? Where they changed afterwards?
- Is everything you do documented, can co-workers understand it and take over your tasks?
- ...
Internal Audits
Internal audits can go further:- Are all our users in our user database(s) still rightfully there? Does the list match with what e.g. HR has as list of employees/contractors? Are the other users interactively used? Are they regularly re-confirmed as needed users? Do we have users that never log in?
- Can we actually start a Disaster Recovery without touching the existing equipment and information?
- Do people inside the company know where to find security policies? Do they know key content of the policies? When were they last reminded of the password policy? Are all our policies easy to read? Are all our policies short enough to be read in under 5 minutes?
- Is equipement we rely on for being warned about problems (availability, IDS, logs, ...) actually tested regularly? How are we sure?
- Are policies overruled? Why? By who? How often? Was it investigated? Did the policy change afterwards to fix the problem?
- Where are incidents logged? What were the conclusions? Do people know incidents that were not logged?
- If you need to find more cool audit ideas, check ISO27001 (or ISO17799) it has a bunch of ideas that you can test to see if you have it or not. Without a policy or guideline to get it, this isn't a real audit check as in must have, but it's always good to look for some extra credit to go beyond the minimum what is implied by the policies.
- Is the inventory complete? Are network diagrams up to date?
- Is every thing labeled? Do machines with possibly confusing port have labels added to identify the ports? Are cables labeled on both ends with both sides of that they connect?
- Are logbooks used and filled out? Or are they filled out just before the audit?
- ...
External Audits
Well external audits generally should check the same stuff as the Internal audits do, but be independent. Sill they are valuable as they can give you the ultimate magic bullet: management support.Typically this starts with regulatory and legal requirements, but it can check compliance with standards as well.
- Can grant a seal of approval.
- These audits can also audit those persons that are very hard to audit as an employee: the big chief: does (s)he feel the policies do not apply to him/herself?
- ...
- First of all: logs are huge. You do not want them to schrink in size.
- Computers are pretty good at finding things in large amounts of data - if you can tell them what to look for.
- The "what to look for" however is lacking in the "review logs" assignment
As soon as you know what to look for, you can automate it in less time than you do it manually once.
So that leaves?
- Create logs, the more the better, they might be the only trace you have of an incident.
- Do NOT review it manually, it is pointless.
- Automatically look through them
- for known problems (you learn them from past incidents).
- for never seen before entries using e.g. Marcus Ranum's nbs (never before seen) script/db so when something absolutely new occurred you get a chance to consider it interesting enough to treat as an incident or not.
- Keep them for the right amount of time
- Look through them for evidence and further understanding once you have an incident to deal with.
--
Swa Frantzen -- Section 66
Keywords: ToD
0 comment(s)
botnet submitted
Please note: this was submitted as an NT worm/botnet, it however does not seem to be affecting NT only.
We received copies of malware found by Geo on an NT system that are being discussed in public forums, it appears to be (variants of) known botnets. Here's what Norman and virustotal.com had to say about them [sanitized]:
[updated: Thorsten pointed out 2 files were the same (they are indeed), yet the differing results from the sandbox set us on the wrong foot. Fixed.]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Anti debug/emulation code present.
* **Locates window "NULL [class mIRC]" on desktop.
* File length: 86016 bytes.
* MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\csrsc.exe.
* Deletes file c:\sample.exe.
[ Changes to registry ]
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
* Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
* Creates key "HKLM\System\CurrentControlSet\Services\npx".
* Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
* Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
* Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
* Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
* Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
* Modifies value "UpdatesDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "AntiVirusDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "FirewallDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "AntiVirusOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "FirewallOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
* Sets value "AUOptions"="^A" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
* Creates key "HKLM\System\CurrentControlSet\Services\wscsvc".
* Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\wscsvc".
* Creates key "HKLM\System\CurrentControlSet\Services\TlntSvr".
* Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\TlntSvr".
* Creates key "HKLM\System\CurrentControlSet\Services\RemoteRegistry".
* Creates key "HKLM\System\CurrentControlSet\Services\Messenger".
* Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\Messenger".
* Sets value "restrictanonymous"="^A" in key"HKLM\System\CurrentControlSet\Control\Lsa".
* Creates key"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
* Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
* Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
* Creates key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
* Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
* Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
* Creates key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
* Sets value "DoNotAllowXPSP2"="^A" in key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
* Creates key "HKLM\Software\Microsoft\OLE".
* Sets value "EnableDCOM"="N" in key "HKLM\Software\Microsoft\OLE".
* Sets value "Record"="??^N" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
[ Network services ]
* Looks for an Internet connection.
* Connects to "[DELETED]" on port 1863 (TCP).
* Sends data stream (30 bytes) to remote address "[DELETED]" port 1863.
* Connects to IRC Server.
* IRC: Uses nickname [XP||N|677795].
* IRC: Uses username XP88038.
* Opens URL: http://[DELETED]/prxjdg.cgi.
* Opens URL: http://[DELETED]/x/maxwell/cgi-bin/prxjdg.cgi.
* Opens URL: http://[DELETED]/mute/c/prxjdg.cgi.
* Opens URL: http://[DELETED/tomocrus/cgi-bin/check/prxjdg.cgi.
* Opens URL: http://[DELETED]/cgi-bin/proxy.cgi.
* Opens URL: http://pDELETED]/little_w/prxjdg.cgi.
* IRC: Sets the usermode for user [XP||N|677795] to .
* IRC: Joins channel #NGEN with password [DELETED].
[ Process/window information ]
* Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
* Attempts to access service "npx".
* Creates a mutex LOLFOB.
* Attempts to access service "Tlntsvr".
* Attempts to access service "RemoteRegistry".
* Attempts to access service "Messenger".
* Attempts to access service "SharedAccess".
* Attempts to access service "wscsvc".
[ Signature Scanning ]
* C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.
Virustotal:
Reading up on what the antivirus community has written about these they seem to attack through so many vectors that it's likely they affect poorly patched systems.
Many thanks to fellow handler Joel for the help.
--
Swa Frantzen -- Section66.com
0 comment(s)
We received copies of malware found by Geo on an NT system that are being discussed in public forums, it appears to be (variants of) known botnets. Here's what Norman and virustotal.com had to say about them [sanitized]:
[updated: Thorsten pointed out 2 files were the same (they are indeed), yet the differing results from the sandbox set us on the wrong foot. Fixed.]
eraseme & csrsc:
Norman:
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Anti debug/emulation code present.
* **Locates window "NULL [class mIRC]" on desktop.
* File length: 86016 bytes.
* MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\csrsc.exe.
* Deletes file c:\sample.exe.
[ Changes to registry ]
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
* Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
* Creates key "HKLM\System\CurrentControlSet\Services\npx".
* Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx".
* Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx".
* Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
* Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
* Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control".
* Modifies value "UpdatesDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "AntiVirusDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "FirewallDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "AntiVirusOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "FirewallOverride"="^A" in key "HKLM\Software\Microsoft\Security Center".
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
* Sets value "AUOptions"="^A" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update".
* Creates key "HKLM\System\CurrentControlSet\Services\wscsvc".
* Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\wscsvc".
* Creates key "HKLM\System\CurrentControlSet\Services\TlntSvr".
* Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\TlntSvr".
* Creates key "HKLM\System\CurrentControlSet\Services\RemoteRegistry".
* Creates key "HKLM\System\CurrentControlSet\Services\Messenger".
* Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\Messenger".
* Sets value "restrictanonymous"="^A" in key"HKLM\System\CurrentControlSet\Control\Lsa".
* Creates key"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
* Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
* Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
* Creates key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
* Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
* Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
* Creates key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
* Sets value "DoNotAllowXPSP2"="^A" in key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
* Creates key "HKLM\Software\Microsoft\OLE".
* Sets value "EnableDCOM"="N" in key "HKLM\Software\Microsoft\OLE".
* Sets value "Record"="??^N" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions".
[ Network services ]
* Looks for an Internet connection.
* Connects to "[DELETED]" on port 1863 (TCP).
* Sends data stream (30 bytes) to remote address "[DELETED]" port 1863.
* Connects to IRC Server.
* IRC: Uses nickname [XP||N|677795].
* IRC: Uses username XP88038.
* Opens URL: http://[DELETED]/prxjdg.cgi.
* Opens URL: http://[DELETED]/x/maxwell/cgi-bin/prxjdg.cgi.
* Opens URL: http://[DELETED]/mute/c/prxjdg.cgi.
* Opens URL: http://[DELETED/tomocrus/cgi-bin/check/prxjdg.cgi.
* Opens URL: http://[DELETED]/cgi-bin/proxy.cgi.
* Opens URL: http://pDELETED]/little_w/prxjdg.cgi.
* IRC: Sets the usermode for user [XP||N|677795] to .
* IRC: Joins channel #NGEN with password [DELETED].
[ Process/window information ]
* Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"".
* Attempts to access service "npx".
* Creates a mutex LOLFOB.
* Attempts to access service "Tlntsvr".
* Attempts to access service "RemoteRegistry".
* Attempts to access service "Messenger".
* Attempts to access service "SharedAccess".
* Attempts to access service "wscsvc".
[ Signature Scanning ]
* C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection.
Virustotal:
AntiVir 6.35.1.11 08.31.2006 Worm/Sdbot.86016.43
Authentium 4.93.8 08.30.2006 no virus found
Avast 4.7.844.0 08.31.2006 no virus found
AVG 386 08.30.2006 IRC/BackDoor.SdBot2.HLZ
BitDefender 7.2 08.31.2006 GenPack: Generic.Sdbot.4F0C4C47
CAT-QuickHeal 8.00 08.30.2006 no virus found
ClamAV devel-20060426 08.31.2006 no virus found
DrWeb 4.33 08.31.2006 Win32.HLLW.MyBot
eTrust-InoculateIT 23.72.111 08.31.2006 no virus found
eTrust-Vet 30.3.3052 08.31.2006 no virus found
Ewido 4.0 08.31.2006 Backdoor.SdBot.anp
Fortinet2.77.0.0 08.31.2006 W32/SDBot.AKI!worm
F-Prot 3.16f 08.30.2006 no virus found
F-Prot4 4.2.1.29 08.31.2006 no virus found
Ikarus 0.2.65.0 08.31.2006 no virus found
Kaspersky 4.0.2.24 08.31.2006 Backdoor.Win32.SdBot.anp
McAfee 4841 08.30.2006 no virus found
Microsoft 1.1560 08.31.2006 no virus found
NOD32 v21.1733 08.31.2006 a variant of IRC/SdBot
Norman 5.90.23 08.31.2006 W32/Malware
Panda 9.0.0.4 08.30.2006 no virus found
Sophos 4.09.0 08.31.2006 no virus found
Symantec 8.0 08.31.2006 W32.Spybot.Worm
TheHacker 5.9.8.202 08.31.2006 no virus found
UNA 1.83 08.31.2006 no virus found
VBA32 3.11.1 08.30.2006 Win32.HLLW.MyBot
VirusBuster 4.3.7:9 08.30.2006 no virus found
i.exe:
Virustotal:AntiVir 6.35.1.11 08.31.2006 Worm/Spybot.1093632
Authentium 4.93.8 08.30.2006 no virus found
Avast 4.7.844.0 08.31.2006 no virus found
AVG 386 08.30.2006 IRC/BackDoor.SdBot2.HLY
BitDefender 7.2 08.31.2006 Win32.Worm.Tilebot.GM
CAT-QuickHeal 8.00 08.30.2006 no virus found
ClamAV devel-20060426 08.31.2006 no virus found
DrWeb 4.33 08.31.2006 Win32.HLLW.MyBot
eTrust-InoculateIT 23.72.111 08.31.2006 Win32/SDBOT.AQJ!Worm
eTrust-Vet 30.3.3052 08.31.2006 Win32/Petribot.XM
Ewido 4.0 08.31.2006 Backdoor.SdBot.aqj
Fortinet 2.77.0.0 08.31.2006 W32/Tilebot.AQJ!worm
F-Prot 3.16f 08.30.2006 no virus found
F-Prot4 4.2.1.29 08.31.2006 no virus found
Ikarus 0.2.65.0 08.31.2006 Backdoor.Win32.SdBot.aqi
Kaspersky 4.0.2.24 08.31.2006 Backdoor.Win32.SdBot.aqj
McAfee 4841 08.30.2006 W32/Spybot.worm.gen.p
Microsoft 1.1560 08.31.2006 Backdoor:Win32/Rbot!02A6
NOD32 v21.1733 08.31.2006 IRC/SdBot
Norman 5.90.23 08.31.2006 W32/Spybot.AXGM
Panda 9.0.0.4 08.30.2006 W32/Sdbot.IAZ.worm
Sophos 4.09.0 08.31.2006 W32/Tilebot-GM
Symantec 8.0 08.31.2006 W32.Spybot.AKNO
TheHacker 5.9.8.202 08.31.2006 no virus found
UNA 1.83 08.31.2006 Backdoor.SdBot.8
VBA32 3.11.1 08.30.2006 Win32.HLLW.MyBot
VirusBuster 4.3.7:9 08.30.2006 no virus found
Reading up on what the antivirus community has written about these they seem to attack through so many vectors that it's likely they affect poorly patched systems.
Some observations
- Joerg wrote in to agree with us that it's a bit sad to see how badly detected these slight variants on the theme are in real life. Of course the malware crafters make it so that they evade the signatures they are interested in. But still it's sad to see that less than half of the products represented on Virustotal detect a sample that's running amok on the net.
- Take a look at the [Changes to registry] section above and see the keys any such malware changes. Next imagine how a clean-up program is going to guess what you had in those keys before. Right: you'll end up with sub-optimal settings no matter what.
- Since this cause -unrightfully so- somewhat of a stir in the "still using NT"-community:
- let's face it: upgrade or isolate or ... get hit eventually.
- balance the cost of upgrading vs. the cost of premium support + the cost of an outbreak * the change of an outbreak
- It's not just targeting NT!
Many thanks to fellow handler Joel for the help.
--
Swa Frantzen -- Section66.com
MS06-040 Worm[s]
For the past several days, the Handlers here at ISC have received all kinds of emails about the recent increase in scanning on port 139, as noted by fellow handler Lorna, the other day, yes there was definitely something going on, but we haven't seen any c0de.
Well, guess what. One of loyal readers out there on the 'Information SuperHighway', Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it). It appears, in typical antivirus fashion to be named several things: McAfee is calling it "W32/SDbot.worm!MS06-040", Sophos is calling it, "W32/Vanebot-A", and Symantec is calling it, "W32.Randex.GEL". (Yes, it's been out for a couple days)
Let's take a look at this bad boy shall we? How does it spread.. well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.
This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it's about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to "forum.ednet.es" over port 4915. (Until the next variant changes it, and we know it will). It has the ability to do a bunch of things including spreading to network shares..
Prevention, as always, (and it should have been done for years now), block 139 and 445 at the router/firewall. Netbios traffic shouldn't be allowed to exit or enter your network from egress points anyway.
Update your antivirus. At least daily.
Patch. You know the deal by now.
Now, since cleaning botnets, is.. pretty much impossible, prevention is the key. If you DO get hit with a botnet infection running throughout your network, my general recommendation is.. rebuild the box. Now, I know that sounds drastic to some of you, but it gets rid of the worm, gets rid of the botnet, and plus you have a brand new box! So, maintain those images, keep your antivirus up to date, patch your boxes, and make sure your IDS/IPS is up to date.
Cory, one of our ever vigilant readers, notified us that the link to 06-040 was incorrect. Thanks Cory. It has been fixed.
Patch those machines, update that antivirus, make sure your firewall is blocking as much as possible, and make sure your IDS/IPS that is on your network is running the latest ruleset.
Update #3
Eric tells us:
"Some of [the worms] attack 445/tcp while others attack 139/tcp. One thing that we have noticed is that some of these variants do slow scans of the B-Class network that they infect as opposed to the more traditional massive, or what I like to call "puke scans", of the B class range. This has made then more difficult to detect and we've had to engineer a some new detection methods."
Have a good weekend everyone!
0 comment(s)
Well, guess what. One of loyal readers out there on the 'Information SuperHighway', Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it). It appears, in typical antivirus fashion to be named several things: McAfee is calling it "W32/SDbot.worm!MS06-040", Sophos is calling it, "W32/Vanebot-A", and Symantec is calling it, "W32.Randex.GEL". (Yes, it's been out for a couple days)
Let's take a look at this bad boy shall we? How does it spread.. well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.
This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it's about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to "forum.ednet.es" over port 4915. (Until the next variant changes it, and we know it will). It has the ability to do a bunch of things including spreading to network shares..
Prevention, as always, (and it should have been done for years now), block 139 and 445 at the router/firewall. Netbios traffic shouldn't be allowed to exit or enter your network from egress points anyway.
Update your antivirus. At least daily.
Patch. You know the deal by now.
Now, since cleaning botnets, is.. pretty much impossible, prevention is the key. If you DO get hit with a botnet infection running throughout your network, my general recommendation is.. rebuild the box. Now, I know that sounds drastic to some of you, but it gets rid of the worm, gets rid of the botnet, and plus you have a brand new box! So, maintain those images, keep your antivirus up to date, patch your boxes, and make sure your IDS/IPS is up to date.
Cory, one of our ever vigilant readers, notified us that the link to 06-040 was incorrect. Thanks Cory. It has been fixed.
Update #2
Since I wrote this article I've read many reports on Symantec and other sites that talk about worms and exploits using MS06-040 in their code, so, we're not going to list them all here, but be aware, they are out there! Most of the worm/c0de that I have seen have their machines connecting back to a botnet on IRC somewhere. Apparently that's the thing to do for hackers now-a-days, integrate code into worm, attach botnet c0de, and away you go compromising machines.Patch those machines, update that antivirus, make sure your firewall is blocking as much as possible, and make sure your IDS/IPS that is on your network is running the latest ruleset.
Update #3
Eric tells us:"Some of [the worms] attack 445/tcp while others attack 139/tcp. One thing that we have noticed is that some of these variants do slow scans of the B-Class network that they infect as opposed to the more traditional massive, or what I like to call "puke scans", of the B class range. This has made then more difficult to detect and we've had to engineer a some new detection methods."
Final Update
We've been following this most recent outcropping of scanning. We'd like to thank all the people that submitted c0de to us, worms, firewall logs, packets, etc.. Thank you. It's what we needed. So that being said, I'm going to close out the story for us unless something new crops up. These worms have been out for awhile now, and hopefully we've given enough light on them. The general patch, update, and block stuff applies. There are ways to catch and prevent the worm with your Snort box if you are running the VRT ruleset with the most updated netbios.rules file, so make sure your ruleset is up-to-date.Have a good weekend everyone!
An ISC Back to School Special
Yes, it is that time of year. The hustle and bustle of getting kids situated in school has begun and for many folks has already occurred. Along with that, comes the purchase of that shiny new laptop or desktop for little Johnny Joe or Sally Sue. If your not buying one, you maybe powering up the one you have for the first time in a while. To quote a line from Uncle Ben in the movie Spiderman "With great power comes great responsibility". A computer is a powerful tool and someone has to be responsible for that tool. So here are some things that you need to consider as you get your kids ready for school.
Back to School Shopping List
For starters, here are some assessories you might want to make sure they have available that you might not have considered.
Now that you have that new computer or your old one for that matter, how do you exercise "great responsibilty" over that power? Here are some tips:
Back to School Shopping List
For starters, here are some assessories you might want to make sure they have available that you might not have considered.
- Blank CDs/DVDs are pretty useful for burning a backup copy of a home work assignment or major project that they might be working on and can't afford to lose.
- Consider a USB key(s) for easy transferring of data.
- An extra ethernet cable (if you don't have access to a wireless network) and a handy wireless card to take with you as a backup or if you don't have wireless built-in.
- A good backpack for your laptop or rollers for the laptop. I find a backpack is much easier for when you're on the go alot.
- A lap top security cable, especially for use in the dorm rooms
- Make sure you have purchased antivirus software for your systems. You cannot exercise that "great responsibility" mentioned above without having it.
Now that you have that new computer or your old one for that matter, how do you exercise "great responsibilty" over that power? Here are some tips:
- Make sure the system is patched and stays patched with all the lastest updates. This is especially true for systems that have been shutdown/offline for the summer. Before doing anything else, patch the systems (from a protected network, if at all possible). Remember that Microsoft releases their patches on the second Tuesday of the month and many vendors release theirs as well during the same time frame it seems. So mark the date on your calendar to watch for patches. Also you can configure most software to automatically check for updates. Don't just focus on the patches for the operating system, remember all those other programs and pieces of software on the computer that need to be updated as well.
- Ensure your system is running an antivirus program and has up to date virus definitions. Many vendors are releasing weekly if not daily updates. The software will often times automatically look for updates on a weekly basis. I would consider marking the update page for you antivirus vendor and checking it on a daily basis for new signature releases.
- If you run a windows box, ensure your firewall is turned on for both your wireless and local area network. Macs have a builtin firewall as well, so ensure it is turned on, and don't forget those Advanced options in OSX 10.4! If you're running an operating system that doesn't have a firewall builtin, look for a third-party firewall that is compatible for that system.
- Screen savers, that are password protected, are another good option to turn on. Just don't set the timeout on the screen saver to be something like 30 minutes or an hour since that will defeat the purpose. My personal preference is just learn to lock the desktop when walking away from the system. You're still just typing in a password
- Don't run your system with Administrator privileges as a matter of course. Set up an account as a regular user and run with that account except in those rare instances when you need the greater privileges. It can lessen the impact of malware and remote exploits.
- If you are using wireless take great care and ensure that you encrypt your data. However, there are many times that you have to attach to an open wireless network. It may be that the campus has open wireless network or that you decide to work at the local coffee shop and use their network. In such cases, you don't have control over how you connect but you can still secure your data. One solution is to use Kyle's Tip of the Day: Secure Surfing at the Coffee Shop (or Hacker Conferences). Another good option is to use a hosted VPN solution. There are some good ones out there that are available for a small price and well worth the money.
- Stay away away from peer-to-peer (P2P) networks. While growing in popularity it is also growing in risk. The risks involved range from the software you download to participate in the P2P network (ontaining spyware or other beasties) to the actual files being distributed or obtained. A vast majority of the files being shared are copyrighted songs and movies which is illegal and can land your little Johnny Joe or Sally Sue in alot of trouble. Many of the infection mechanisms used by malware today target P2P networks.
- A final set of tips for safe computing. Be careful when opening email from unknown individuals. If your mail viewer has a preview pane it needs to be turned off and change your settings to read your mail in plain text. Be very careful what you click on, especially links that come in via email or IM. The same principle applies for opening attachments.
Keywords:
0 comment(s)
Contacting the ISC, good practices for response
Recently we've received several good emails, concerning many of the topics that we've discussed recently on our Diary entries. Port 139 traffic, HP JetDirect traffic, Java updates, you name it, we've received email about it.
The problem with a couple of these excellent emails is... the sender hasn't left their email address! We had one individual write us and offer packet captures of the 139/445 traffic that has been reported, but didn't leave their email address for us to contact him.
So please, these items are essential. If you are thinking about not submitting your email address for privacy reasons, feel free to do so, we try to make a habit about not posting people's email addresses on the site. We like to give credit where credit is due, but if you do not want your name mentioned at all, make sure and check the radio button that says "Do NOT mention my name".
You may contact the ISC by clicking on the Handler of the Day's name at the top of the page, or clicking on "Contact" at the bottom right of the page.
Thank you for your submissions about this "NT4/2000 worm" that is rumored to be spreading around, we'd love to receive full packet captures of the traffic, as well as any binaries that it drops. (If there really is a worm).
Thanks!
The problem with a couple of these excellent emails is... the sender hasn't left their email address! We had one individual write us and offer packet captures of the 139/445 traffic that has been reported, but didn't leave their email address for us to contact him.
So please, these items are essential. If you are thinking about not submitting your email address for privacy reasons, feel free to do so, we try to make a habit about not posting people's email addresses on the site. We like to give credit where credit is due, but if you do not want your name mentioned at all, make sure and check the radio button that says "Do NOT mention my name".
You may contact the ISC by clicking on the Handler of the Day's name at the top of the page, or clicking on "Contact" at the bottom right of the page.
Thank you for your submissions about this "NT4/2000 worm" that is rumored to be spreading around, we'd love to receive full packet captures of the traffic, as well as any binaries that it drops. (If there really is a worm).
Thanks!
Keywords: faq
0 comment(s)
×
Diary Archives
Comments