Digital Common Sense

From the SANS Handler’s Diary -

The folks at Bleeding Snort released an updated list of known malware-related domains yesterday, up to 9,400 entries now! For those of you employing DNS black holes, proxy-based filtering, or doing other general research of malware based on domains, you should check out this exhaustive (and exhausting!) new list. I frequently rely on this list to match against when doing research of spyware and related nasties. Kudos to the Bleeding Snort guys for their hard work.

For anyone who manages DNS, fights blacklist issues, or winde up off chasing malware domains for any reason, this is a great resource.

SANS, malware, blacklist, Bleeding Snort, malicious domains, Infosec

Filed by Ken at 6:09 pm under InfoSec
No Comments

January 27, Associated Press — Maryland spam law can be enforced, judge rules. Spam e−mails offering home financing deals or other offers can violate Maryland law, even if they’re sent from another state, a state appeals court has ruled. Court of Special Appeals Judge Sally D. Adkins sided with a law student who argued that he could sue a New York e−mail marketer who had sent him advertising messages. The decision, issued Thursday, January 26, overturns a lower court ruling that Maryland’s 2002 Commercial Electronic Mail Act was unconstitutional because it sought to regulate commerce outside state borders. Adkins, in a 60−page decision, blasted the marketer’s claims that he should not be punished for violating Maryland law because he had no way of knowing whether his e−mails would be opened in Maryland. “This allegation has little more validity than one who contends he is not guilty of homicide when he shoots a rifle into a crowd of people without picking a specific target, and someone dies,” the judge wrote. Maryland was one of the first states to try to control junk e−mail through legislation, and its 2002 law predates the 2004 federal CAN−SPAM Act. The federal law superseded most state laws unless they specifically addressed deceptive or fraudulent e−mail, which Maryland’s does.
Source

spam, law, legal, Maryland, MD, Infosec

Filed by Ken at 1:14 pm under InfoSec
No Comments

January 27, Associated Press — Man sentenced for stealing Microsoft code. A Connecticut man known on the Internet as “illwill” was sentenced to two years in prison Friday, January 27, for stealing the source code to Microsoft Corp.’s Windows operating software, among the company’s most prized products. William Genovese Jr., 29 of Meriden, CT, was sentenced by U.S. District Judge William H. Pauley, who called Genovese “a predator who has morphed through various phases of criminal activity in the last few years.” Genovese pleaded guilty in August to charges related to the sale and attempted sale of the source code for Microsoft’s Windows 2000 and Windows NT 4.0. The code had previously been obtained by other people and unlawfully distributed over the Internet, prosecutors said. Source code is the blueprint in which software developers write computer programs. With a software program’s source code, someone can replicate the program. Industry experts expressed concern that hackers reviewing the Microsoft software code could discover new ways to attack computers running some versions of Windows. Prosecutors said in an indictment in February 2004 that Genovese posted a message on his Website offering the code for sale on the same day that Microsoft learned significant portions of its source code were stolen.
Source

Infosec, Microsoft, stolen code

Filed by Ken at 1:12 pm under InfoSec
No Comments

Some place I’d rather be

Originally uploaded by kencamp.

Somewhere warm and sunny.

Filed by Ken at 2:32 pm under General
No Comments

Some place I’d rather be

Originally uploaded by kencamp.

Somewhere warm and sunny.

Filed by Ken at 2:31 pm under General
No Comments

Nearly a year ago I posted A Lesson in Fluidity as a repost of something I’d said a year before. I’ve recently been given cause to think about some things and this post struck me as still relevant, so I’m reposting it.

---

Reading online this morning made me think about this again. It’s something I hate thinking about. It’s counterproductive. It leads to stratification of our community of interest. It’s childish. Like Orkut, it’s playground rules. It’s second grade all over again. There is no A-list. Some people think there is. Some people think they’re on it. Some people think there’s a club with secret handshakes and a password…a grand conspiracy to keep the rest of us out. People on the inside of some circles believe this just as much as some who feel they’re outside those circles. This is a reality of life as much as a reality of the blogosphere. There is no A-list in real life either. Only people who think there is. All people are created equal. No one person is of greater value than another.The problem is people don’t understand circles. Overlapping circles. Concentric circles. Intersecting circles. Just like ripples in a pond, we are the sum of our circles. Some circles overlap. Some intersect. Some are smaller circles inside larger circles. Some circles never touch. And yes, some circles…jerk. Welcome to our world.

Our circles of interest intersect at some points, but think of the ripples in a large lake. The intersecting circles on one side of lake have such a miniscule impact across that body of water that it’s nearly immeasurable. Sure there’s impact, but the laws of nature weaken the kinetic energy of the ripple as the mass of the water diminishes its strength. So too is the blogosphere a large body. Ripples sometimes make it across and make small differences. Some folks make a big splash are are gone. Every person cannot expect to affect every other person in this world. Reasonable expectations are key. We all exist within our circle of influence and our own community of interest. If we want to move to a new community, we make the necessary adjustments.

Some folks ripple like a bubbling brook, always spilling out something we enjoy. It might be useful information. It might be cheerful good news. It might be tidbits of wisdom about productivity tools. These folks are a fountain, every renewing our spirit and keeping our water fresh. These folks don’t care about lists. They pay attention to their circles of friends…their community of interest. They are focused outward.

Some lie quietly like a sleeping giant. A body of water at rest is quiet and peaceful until the eruption of frenzied activity. These folks, erupt like a waterspout, blasting new ideas into our consciousness at unexpected moments. These folks care about making a difference in one area or another. They seize ideas they think are important and blast out thoughts. Their circles coverge and split and merge and change continually. They too are focused outward.

The quiet ones are just there. Think of the 20th century female poet, J. Sydney. Who said “He poured so gently and naturally into my life like batter into a bowl of butter. Honey into a jar of honey. The clearest water sinking into sand.” They pervade our daily life, having some small affect on our thoughts and actions every day, but we never really realize or appreciate the impact they have. Their circles overlap and intertwine (intertwingle) with one another. They come and go and make quiet friends as interests evolve. Like the others, these friends keep an outward focus.

Then there’s always the boistrous fat guy doing the cannonball. You know the one always hollering “look at me….watch me.” Yep, he’s there and he has an affect too. It’s not a lasting affect. Let him splash in your pool and look an hour later. His ripple are gone. He’s an aggressive, but ephemeral agitant. He’s the self-aggrandizing one who isn’t nearly as important as he thinks he is. He’s the one who thinks there’s a n A-list and thinks he’s on it. I’m here to tell you a secret — he’s wrong. These are the folks who are looking the wrong direction. They look inward to me, my company who I am, what I can do, how popular/important/sexy I am. The center of their universe is different.

---

I rarely feel like I’m one to offer advice. Rex Hudler said “be a fountain, not a drain.”Ken says

Then again, as someone walking by just told me, maybe I’m all wet…

Circles, fluidity, community of interest, communities

Filed by Ken at 12:51 pm under General
No Comments

January 26, Hackers Center Security Portal — Microsoft Internet Explorer does not honor ActiveX. Internet Explorer (IE) fails to properly check the kill bit for ActiveX controls, which may allow a remote attacker to execute arbitrary code on a vulnerable system. By convincing a user to view a specially crafted HTML document an attacker could execute arbitrary code with the privileges of the user. Depending on the ActiveX control being used, an attacker may be able to take other actions. There are a number of significant vulnerabilities in technologies involving the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model in particular, proprietary DHTML features; the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide Web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.
Source: http://www.hackerscenter.com/archive/view.asp?id=22251

Microsoft, IE, Internet Explorer, ActiveX, Infosec

Filed by Ken at 12:46 pm under InfoSec
No Comments

January 26, Security Focus — Researchers: Rootkits headed for BIOS. Insider attacks and industrial espionage could become stealthier by hiding malicious code in the core system functions available in a motherboard’s flash memory, researchers said on Wednesday, January 25, at the Black Hat Federal Conference. A collection of functions for power management, known as the Advanced Configuration and Power Interface (ACPI), has its own high−level interpreted language that could be used to code a rootkit and store key attack functions in the Basic Input/Output System (BIOS) in flash memory, according to John Heasman, principal security consultant for UK−based Next−Generation Security Software. The researcher tested basic features, such as elevating privileges and reading physical memory, using malicious procedures that replaced legitimate functions stored in flash memory. “Rootkits are becoming more of a threat in general −− BIOS is just the next step,” Heasman said during a presentation at the conference. “While this is not a threat now, it is a warning to people to look out.” The worries come as security professionals are increasingly worried about rootkits. While some attacks have attempted to affect a computer’s flash memory, the ability to use the high−level programming language available for creating ACPI functions has opened up the attack to far more programmers.
Source: http://www.securityfocus.com/news/11372

rootkits, BIOS, Infosec

Filed by Ken at 12:46 pm under InfoSec
No Comments

My friend Mary saw the picture of a microcar and initially thought she wanted one of these -

It’s called a “microcar,” and I’ve only just started to follow the story on this emerging market, but I love these little guys. $7,000 U.S. and 60-90 miles to the gallon … better and better.

The truth is that she hasn’t seen what all the chic Bloghers and girlie girls will be driving to the next big conference.

Real Woman’s Car

I understand next year’s model comes with a charm bracelet for storage and carrying.

Microcar, Blogher, girlie girl car

Filed by Ken at 9:45 pm under General
No Comments

Secret Window

Originally uploaded by kencamp.

Filed by Ken at 6:07 pm under General
No Comments

January 25, FrSIRT — Cisco IOS TCLSH AAA command authorization bypass vulnerability. A vulnerability has been identified in Cisco IOS, which could be exploited by malicious users to bypass security restrictions and obtain elevated privileges. This issue is due to an error in the Authentication, Authorization, and Accounting (AAA) command authorization feature that does not properly perform authorization checks on commands executed from the Tool Command Language (Tcl) exec shell, which could be exploited by authenticated users to bypass command authorization checks resulting in unauthorized privilege escalation.

Solution: Apply fixes
Source: http://www.frsirt.com/english/advisories/2006/0337

Cisco, IOS, Infosec

Filed by Ken at 6:54 pm under InfoSec
No Comments

January 25, CNET News — Skype could provide botnet controls. Internet phone services such as Skype and Vonage could provide a means for cybercriminals to send spam and launch attacks that cripple Websites, experts have warned. Moreover, because many voice over Internet protocol (VoIP) applications use proprietary technology and encrypted data traffic that can’t easily be monitored, the attackers will be able to go undetected. “VoIP applications could provide excellent cover for launching denial of service (DoS) attacks,” the Communications Research Network said Wednesday, January 25. The Communications Research Network is a joint venture between Cambridge University and the Massachusetts Institute of Technology. The group urges VoIP providers to publish their routing specifications or switch to open standards. “These measures would…allow legitimate agencies to track criminal misuse of VoIP,” Jon Crowcroft, a professor at Cambridge University in the UK, said in a statement. VoIP applications such as eBay’s Skype and Vonage could give cybercriminals a better way of controlling their zombies and covering their tracks, the Communications Research Network said. “If the control traffic were to be obfuscated, then catching those responsible for DoS
attacks would become much more difficult, perhaps even impossible,” the group said in a statement.
Source: http://news.com.com/Skype

Skype, botnets, Infosec

Filed by Ken at 6:53 pm under InfoSec, Unified Communications
No Comments

When I posted this piece on Nyxem earlier, I was in a hurry. Busy day, you know. A comment from Mary got a quick email back, but I’ve been slower at finding time to update here.

Virtually every anti-virus vendor in the market has updated signature files out in the last week or two that will protect against Nysem.e. Check your signature (dat) files and make you’re you’ve got current ones. Do the critical update routine on Windows. Don’t run old service packs. Keep things current.

It’s not really as bad as it really is.

Really.

Nyxem, worm, vulnerability, Infosec

Filed by Ken at 7:22 pm under InfoSec
No Comments

There are some things about RSS and aggregators (aggravators indeed) that just irritate the living daylights out of me. Since two just hit me with a flood of RSS SPAM, I’ll breifly explain.

RSS SPAM = Syndicating the same thing back to my reader over and over and over. Anything that’s unwanted excess
NOTE: It’s true that each and every one of us writes tales that would make the bard himself green with envy. We all know that. I’m not accusing anyone of writing anything but the very finest prose. There’s not a drooling, babbling fools among the entire lot of bloggers. Truly

Some blogs work in a fashion that pushes a new feed as they’re updated throughout the day. At the end of the day, you get to read the same post three times.This is incredibly annoying. It feels like you’re repeating yourself. Like maybe you like to hear yourself talk so much you just have to say it over and over.

Some blogs, or bloggers experience techinical difficulties and periodically publish some batch of history so the aggregatored fills up with posts dating back to the Pleistocene area, giving us the opportunity to see your online life flash before our eyes again and again as you republish every time there’s a technical difficulty or whatever the hell it is that causes this.

Some of you like the idea of having your blog post page update to include the comment every time someone comments. This leads to reposting of the same article every time someone says “wow that was nice” or anything else. It also leads to reposting that morsel of wit you wrote last year when the comment spammer offers to enhance your private parts.

Just to put a stake in the ground and take a stand, I will say here that these things are bad. All of these things are bad. If you do these things, you should stop. You won’t listen. You don’t care. You have voice, right? That’s ok. You can use your voice all you want. But I’m not listening to you any more. You’re being silenced one by one.

RSS, RSS problem, how to irritate your readers, redundancy in posting redundant drivel

Filed by Ken at 7:12 pm under General
No Comments

There’s a new worm propagating, and I sense a lot of people aren’t aware if it’s growth or potential.

Since Nyxem.e has the potential to spread easily (it’s been growing for several days), and carries a malicious payload, I thought I’d copy and share some information here. This important, because if you read below, youlif find that Nyxem.e can delete the following file types -
*.doc, *.xls, *.mdb, *.mde, *.ppt, *.pps, *.zip, *.rar, *.pdf, *.psd, *.dmp

Here’s some background information, primarily from F-Secure.

Nyxem.e is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related and file sharing software as well as destroys files of certain types. Installation to system

Installation to system

Nyxem.E is written in Visual Basic and is compiled as p-code. The size of the main executable is about 95 kilobytes. When the worm’s file is run, it first opens WinZip as a decoy. On our test systems it also blocked keyboard and mouse so the only option was to press CTRL + ALT + DEL and to log off.

During the installation phase the worm copies its file to several locations:

%Windows%\rundll16.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe

where ‘%Windows%’ presents the main Windows folder. On Windows systems, it is usually C:\WINDOWS\ folder. The ‘%System%’ represents Windows System folder.

The worm creates the following Registry key value for its file to activate itself on every system startup:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“ScanRegistry” = “%System%\scanregw.exe /scan”

Spreading in e-mails

The worm collects e-mail addresses from files with following extensions:

.HTM
.DBX
.EML
.MSG
.OFT
.NWS
.VCF
.MBX
.IMH
.TXT
.MSF

The worm searches for files with these extensions in Internet Explorer cache folders. E-mail addresses that have any of the following substrings are ignored by the worm:

SYMANTEC
MCAFEE
VIRUS
TREND
PANDA
SECUR
SPAM
NORTON
ANTI
CILLIN
CA.COM
KASPER
TRUST
AVG
GROUPS.MSN
NOMAIL.YAHOO.COM
SCRIBE
EEYE
MICROSOFT
@HOTMAIL
@HOTPOP
@YAHOOGROUPS

The worm sends itself as attachment in the infected e-mail. The e-mail subject can be one the following:

The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
Fuckin Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
Fw: Funny
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Re:
Fw:
Fw: Picturs
Fw: DSC-00465.jpg
Word file
eBook.pdf
the file
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re: Sex Video
My photos

The message body may be one of the following:

Note: forwarded message attached.
Hot XXX Yahoo Groups
F*ckin Kama Sutra pics
ready to be F*CKED
forwarded message attached.
VIDEOS! FREE! (US$ 0,00)
Please see the file.
>> forwarded message
—– forwarded message —–
i just any one see my photos. It’s Free

how are you?
i send the details.
OK ?

The worm usually attached itself to e-mail messages as an executable file. It uses one the following names in attachment:

007.pif
School.pif
04.pif
photo.pif
DSC-00465.Pif
image04.pif
677.pif
New_Document_file.pif
eBook.PIF
document.pif
DSC-00465.pIf

Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be
one of the following:

Video_part.mim
Attachments00.HQX
Attachments001.BHX
Attachments[001].B64
3.92315089702606E02.UUE
SeX.mim
Sex.mim
Original Message.B64
WinZip.BHX
eBook.Uu
Word_Document.hqx
Word_Document.uu

The filename inside MIME-encoding is one of the following:

New Video,zip .sCr
Attachments,zip .SCR
Atta[001],zip .SCR
Clipe,zip .sCr
WinZip,zip .scR
Adults_9,zip .sCR
Photos,zip .sCR
Attachments[001],B64 .sCr
392315089702606E-02,UUE .scR
SeX,zip .scR
WinZip.zip .sCR
ATT01.zip .sCR
Word.zip .sCR

Spreading to shared folders

The worm searches for remote shared folders and tries to copy itself using one of the following filenames:

\Admin$\WINZIP_TMP.exe
\c$\WINZIP_TMP.exe
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe

At the same time the worm deletes the following file:

\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Before spreading the worm checks whether a remote computer has any of the following folders and if it does, the worm tries to delete all files from that folder:

\C$\Program Files\Norton AntiVirus
\C$\Program Files\Common Files\symantec shared
\C$\Program Files\Symantec\LiveUpdate
\C$\Program Files\McAfee.com\VSO
\C$\Program Files\McAfee.com\Agent
\C$\Program Files\McAfee.com\shared
\C$\Program Files\Trend Micro\PC-cillin 2002
\C$\Program Files\Trend Micro\PC-cillin 2003
\C$\Program Files\Trend Micro\Internet Security
\C$\Program Files\NavNT
\C$\Program Files\Panda Software\Panda Antivirus Platinum
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
\C$\Program Files\Panda Software\Panda Antivirus 6.0
\C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus

The worm also creates a scheduled task to run the worm’s files on remote computer with system priviledges at the 59th minute of the current hour.

Payload

The worm has a dangerous payload. If the date is equal to 3 (3rd of February, 3rd of March, etc) and the worm’s UPDATE.EXE file is run, it destroys files with those extensions on all available drives:

*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp

The files’ contens get replaced with a text string “DATA Error [47 0F 94 93 F4 K5]”. The payload is activated 30 minutes after the worm’s file UPDATE.EXE is loaded into memory (basically 30 minutes after logon). We can confirm that the payload works at least on Windows XP.

The worm attempts to disable several security-related and file sharing programs. It deletes startup key values from the Registry if they contain any of the following:

NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
PCCIOMON.exe
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TM Outbreak Agent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
Vet Alert
VetTray
OfficeScanNT Monitor
avast!
DownloadAccelerator
BearShare

The following startup Registry keys are affected:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]

In addition the worm deletes files from the following subfolders in the Program Files folder:

\DAP\*.dll
\BearShare\*.dll
\Symantec\LiveUpdate\*.*
\Symantec\Common Files\Symantec Shared\*.*
\Norton AntiVirus\*.exe
\Alwil Software\Avast4\*.exe
\McAfee.com\VSO\*.exe
\McAfee.com\Agent\*.*
\McAfee.com\shared\*.*
\Trend Micro\PC-cillin 2002\*.exe
\Trend Micro\PC-cillin 2003\*.exe
\Trend Micro\Internet Security\*.exe
\NavNT\*.exe
\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
\Grisoft\AVG7\*.dll
\TREND MICRO\OfficeScan\*.dll
\Trend Micro\OfficeScan Client\*.exe
\LimeWire\LimeWire 4.2.6\LimeWire.jar
\Morpheus\*.dll

In addition the worm reads location of certain programs from Windows Registry and deletes certain files in these locations. The affected software is:

VirusProtect6
Norton AntiVirus
Kaspersky Anti-Virus Personal
Iface.exe
Panda Antivirus 6.0 Platinum

Also the worm closes application windows that have the following strings in their captions:

SYMANTEC
SCAN
KASPERSKY
VIRUS
MCAFEE
TREND MICRO
NORTON
REMOVAL
FIX

For some reason the worm adds several license keys to the Registry. Most of them seem to belong to VB6 controls. Also the worm makes the following changes to the Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
“FullPath” = dword:00000001
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“ShowSuperHidden” = dword:00000000
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“WebView” = dword:00000000

The worm can modify Active Desktop files in order to launch another copy of itself named ‘WinZip_Tmp.exe’ using the ActiveX control.

Some notes from F-Secure’s Blog -

Saturday, January 21

The web counter used by the Nyxem worm now shows over 510,000 infections and keeps rising.

Our internal reporting system shows a steady stream of Nyxems being reported from all over the world, from USA to Australia.

If the worm keeps this pace, Friday the 3rd of February might be nasty - that’s when the destructive payload is programmed to strike for the first time.

Friday, January 20

We upgraded Nyxem.E to Radar level 2 due to the increased number of reports.

The worm’s destructive payload activates on every third day of the month by replacing the content of user’s files with a text string “DATA Error [47 0F 94 93 F4 K5]”. Among these files are: DOC, XLS, MDB,
MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP.

The worm also has an interesting feature: it increases a counter on a website every time a new machine gets infected. When we first saw the counter (earlier today) it was below 300,000 . Now it’s already over 417,000 and growing. The counter didn’t necessarily start from zero.

---

If you aren’t certain you’re protected, I’d suggest doing some keyword searches for Nyxem in Google and Technorati. Check your antivirus signature files. Update them regularly for your own safety.

worm, Nyxem, F-Secure, vulnerability, Infosec

Filed by Ken at 8:46 am under InfoSec
No Comments