The Glider

Some of you may have noticed that I was a little slow in getting started this morning.

Iwasn't prompt with replying to your emails. For that I apologize. I thought it would be

good if I explained why.
At my day job/paid job one of my responsibilities is handling abuse complaints, another

responsibility is cleaning up mail serversthat are doing bad things. The two usually go

hand and hand and generally are due to something one or more of the users did. Today

was no exception. I logged into my email this morning and immediately knew I had a

problem. I knew how the first half ofmy day was going to go. I had several hundred

abuse reports for one of my mail servers. I immediately began to investigate what

was going on with the server. I soon discovered that I had over 33,000 emails queued

up and a bunch of bounces for undeliverable emails to domains like hotmail, yahoo,

comcast, aol, etc. I began to review the emails and soon realized that someone had

logged into the webmail on the server with userid's on the box and sent emails. All of

the emails indicated the webaccess came from ip's in 41.138.x.x which happens to be

in Africnic's world. This particular server is a local server and I knew that it was highly

unlikely that someone would be legitmately logging in from Africa. I immediately blocked

the CIDR from accessing the server and cleaned up the emails so that no more would

get out. After the cleanup was done I began reviewing the logs for the webmail service.
Sure enough, I discovered that 3 valid userid's had indeed been used to login to the server

from the 41.138.x.x ip's. I immediately changed the passwords on the 3 accounts so that the

spammers could not login again from a different CIDR. Once the passwords were changed

I notified the customers of the situation.



I soon discovered that yesterday an email had been sent to the users on this adomain.net

(name changed to protect the domain). Here is what the email said:
Dear adomain.net Subscriber,
We are currently carrying-out a maintenance process to your adomain.net account, to

complete this, you must reply to this mail immediately, and enter your User Name

here (,,,,,,,,) And Password here (.......) if you are the rightful owner of

this account.
This process we help us to fight against spam mails. Failure to summit your password,

will render your email address in-active from our database.
NOTE: If your have done this before, you may ignore this mail. You will be send a

password reset messenge in next seven (7) working days after undergoing this process

for security reasons.
Thank you for using adomain.net!

THE adomain.net TEAM


Inspite of multiple warnings in the past to the users on this domain, three of them responded

to the email. Those three logins were then used last night to login to the webmail and send

the emails. Now some of you reading this are probably just shaking your head and wondering

why end users are so gullible. Well, I am with you on that. If you read the content of the email

you will soon realize that the email contained a number of grammatical errors and it is pretty

obvious that it is a poor attempt at English grammar. Most of us would just ignore the email and

delete it. Not these users... They fell for it hook, line and sinker.
I put this out for you because we have received inquiries from several other folks today about this

or a similar phish. Remind your employees/users that these emails are bogus and bad - not to

respond to them. If you are on any of my mail servers.... I thank you heartedly. This mornings

little investigation and cleanup took out 3 otherwise product hours from my day.
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Some of you may have seen the article about an iPad security breach. Some of the information floating around is leading readers to believe that it is an

iPhone software problem. It is not, the issue is with a web application not the iPhone or iPad software.
http://www.sophos.com/blogs/duck/g/2010/06/10/apples-worst-security-breach/
Apparently, the breach was the result of a web application vulnerability on an ATT site. This allowed a malcontent to guess

at an ATT SIM card identifier (the so-called ICC-ID) and if the ICC-ID was issued to an iPad to use it to retrieve the email address

of the iTunes account associated with the device.
The fact that this happened is bad, however the amount of incorrect information circulating the Net is even worse.For the whole story see the

Sophos blog.
Another take on the situation:
http://www.wired.com/threatlevel/
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I subscribe to SearchSecurity at TechTarget and receive newsletters from them on a regular basis.It just so happens the one that Ireceived

today had an article abouthow Enterprise can prevent an attack due to PDF hacks. I justread through the article and found ita very good refresher

on best practices for protecting against anymalware spread by using any number of compromised attachments.



It is human nature I guess, that weopen attachments from folks we know and unfortunately even some we don't know.Often times these attachments

contain more than we bargained for. Because Adobe is onevery computer in the world (ok - maybe an exaggeration) it is a really big target. And

because it is a really big target there are a number of vulnerabilities associated with one component or another. The article from TechTarget states:



According to McAfee Inc. Avert Labs, as of Q1 2010, malicious malformed

PDF files are now involved with 28% of all malware directly connected to exploits.
Considering the number of different possible attack vectors this 28% is huge. The article goes through some very common sense tips for protecting

your organization.This article though focusing on misused PDF's can be used to protect against other potential attack vectors.



Some may say this is old news and common sense and I won't disagree.But sometimes the old makes things new again.



http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1513908,00.html?track=NL-422ad=769731asrc=EM_NLT_11739094uid=6115703

Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Sucuri.net has released a report about a large number of sites that have been hacked and contain a malware script. A quick Google today indicates that

there are currently 111,000 sites still infected.It appears that this is only impacting websites hosted on Windows servers. The situation is being investigated.



For those who are hosting there websites on Windows IIS/ASP you may find more information here.
http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html
http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html
Update:Paul at Sophos logs has released some additional information regarding this exploit and Infection. Thanks Paul.
http://www.sophos.com/blogs/sophoslabs/?p=9941
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview of theJune 2010 MicrosoftPatchesand their status.




#
Affected
Contra Indications
Known Exploits
Microsoft rating
ISC rating(*)


clients
servers





MS10-032
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (Replaces MS09-065 )


Windows Kernel

CVE-2010-0484

CVE-2010-0485

CVE-2010-1255
KB 979559
no known exploits.
Severity:Important

Exploitability: 1,1,1
Critical
Critical



MS10-033
Vulnerabilities in Media Decompression Could Allow Remote Code Execution (Replaces MS09-028 MS09-047 MS08-033 )


DirectShow, DirectX, Windows Media Format Runtime, COM

CVE-2010-1879

CVE-2010-1880
KB 979902
no known exploits.
Severity:Critical

Exploitability: 1,1
Critical
Critical



MS10-034
Cumulative Security Update of ActiveX Kill Bits (Replaces MS10-008 )


ActiveX, Internet Explorer 8

CVE-2010-0252

CVE-2010-0811
KB 980195
no known exploits.
Severity:Critical

Exploitability: 1,1
Critical
Important



MS10-035
Cumulative Security Update for Internet Explorer (Replaces MS10-018 )


Internet Explorer

CVE-2010-0255

CVE-2010-1257

CVE-2010-1259

CVE-2010-1260

CVE-2010-1261

CVE-2010-1262
KB 982381
no known exploits.
Severity:Critical

Exploitability: 2,3,1,?,?,1
Critical
Important



MS10-036
Vulnerabilities in COM validation in Microsoft Office Could Allow Remote Code Execution (Replaces MS08-055 MS10-017 MS10-028 MS09-068 MS09-017 MS10-023 MS10-004 MS09-027 )


Microsoft Office

CVE-2010-1263
KB 983285
no known exploits.
Severity:Important

Exploitability: 1
Critical
Important



MS10-037
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege


Windows Kernel

CVE-2010-0819
KB 980218
no known exploits.
Severity:Important

Exploitability: 2
Critical
Critical



MS10-038
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (Replaces MS10-017 )


Excel

CVE-2010-0821

CVE-2010-0822

CVE-2010-0823

CVE-2010-0824

CVE-2010-1245

CVE-2010-1246

CVE-2010-1247

CVE-2010-1248

CVE-2010-1249

CVE-2010-1250

CVE-2010-1251

CVE-2010-1252

CVE-2010-1253

CVE-2010-1254
KB 2027452
no known exploits.
Severity:Important

Exploitability: 2,1,2,1,1,1,1,1,1,1,2,2,1,1
Critical
Important



MS10-039
Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (Replaces MS08-077 )


MS Infopath, Sharepoint Services

CVE-2010-0817

CVE-2010-1257

CVE-2010-1264
KB 2028554
exploits available
Severity:Important

Exploitability: 1,3,3
Important
Critical



MS10-040
Remote Code Execution Vulnerability in IIS


IIS

CVE-2010-1256
KB 982666
no known exploits.
Severity:Important

Exploitability: 2
Important
Critical



MS10-041
.Net Framework Data Tampering (Replaces MS09-061 )


.Net

CVE-2009-0217
KB 981343
exploits available.
Severity:Important

Exploitability: 3
Important
Important






We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.


The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

In conjunction with the 2010 SANSDigital Forensics and Incident Response Summit...there is a contest!
To quote Rob Lee...
The 2010 Digital Forensics and Incident Response Summit's focus this year is examining and advancing the digital forensic professional to deal with advanced threats such as the APT and organized crime. Understanding how many of these crimes take place is crucial to creating lethal forensicators armed with the knowledge and skills to analyze complex cases. I asked Jonathan Ham and Sherri Davidoff (who co-authored the sell-out Forensics 558: Network Forensics course and created many successful contests at - forensicscontest.com) to create a contest based partially on how the APT might try and trigger a compromise to steal intellectual property via a targeted attack via spear phishing.


I'm proud to announce the Jonathan and Sherri have created an amazing contest that will challenge you to use sophisticated skills and help you see the types of attacks that could be infecting your networks today. Using published information based on the Aurora attacks they set out to recreate a sequence of events that demonstrate the challenge investigators will face when examining compromises of clicking on links via a targeted spear phishing attack. This contest is a step in the right direction to help educate and challenge forensic professionals around the country. It also provides a good example of some of the discussions we will cover at the 2010 Forensic Summit: Malware analysis, Network Forensics, and the Advanced Persistent Threat. Jonathan and Sherri will announce the winners at the Forensic Summit on July 8. We hope you win the challenge and will attend the 2010 Forensic Summit, July 8, 9 in Washington D.C.
The contest itself is available over at the SANSComputer Forensics Blog.
Have fun!
UPDATE: SANS Forensics Challenge Webcast Archive is Now Online!
-- Rick Wanner - rwanner at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

If you happen to be at SANSFIRE, don't miss the Internet Storm Center panel at Francis Scott Key 12 room 7:00 PM EDT. If you are not there and want to follow this event live on twitter, please visithttp://twitter.com/sans_isc_fast.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Windows is an operating system that has controls that preserve the safety of equipment. These security policies are configured using Global Policy Objects that apply to all computers in the domain. There is a specific group of these directives called Software Restriction Policies, which have the ability to restrict the type of software running on computers. It is a cheap and quick way to set restrictions on the ability of users to execute programs.
We have received a report of a piece of malware that poses as a flash postcard downloaded from the Tarjetasnico website (http://tarjetasnico.com). This malware is responsible for disabling any existing restrictions on the computer configured inside the Software Restriction Policy and also downloads the real malware from a website in Germany.
The initial program is run and sets up the following registry key:



Registry Path
Key
Value




HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
DefaultLevel
262144



The number 262144 indicates a SAFER_LEVELID_FULLYTRUSTED level, which means that all execution policy are Unrestricted, so that any program can be run no matter of what restrictions are in place.
Please enforce the permissions to this registry key and its value of 0 on computers of your company so it cannot be modified by users and restriction policies remain active.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

For all those who love pen testing, there is an excellent tutorial on how to write an exploit for OS X. The tutorial explains how to write the exploit to the Evocam buffer overflow.
http://www.offensive-security.com/vulndev/evocam-remote-buffer-overflow-on-osx/
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.