The Glider

For those of you who, like me, are fans of the various challenges, the Honeynet Project has released challenge 4 in their 2010 forensics series.
To quote from the challenge page: Challenge 4 - VoIP ... takes you into the world of voice communications on the Internet. VoIP with SIP is becoming the de-facto standard for voice communication on the Internet. As this technology becomes more common, malicious parties have more opportunities and stronger motives to take control of these systems to conduct nefarious activities. This Challenge is designed to examine and explore some of attributes of the SIP and RTP protocols. Enjoy the challenge.
Have fun!
-- Rick Wanner - rwanner at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe has released an advisory that a critical vulnerability exists for Windows, Macintosh, Linux and Solaris in the Adobe Flash Player version 10.0.45.2 and earlier as well as in the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe has received reports indicating this vulnerability is being actively exploited in the wild against Adobe Flash Player, Adobe Reader and Acrobat. The original security bulletin and suggested mitigations by Adobe is posted here.
Affected Versions
- Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris

- Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX
Not Vulnerable
- Flash Player 10.1 Release Candidate, can be downloaded here

- Adobe Reader and Acrobat 8.x are confirmed not vulnerable
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

OpenOffice's latest version is available for Windows, Mac OS, Linux and Solaris systems. This release fixes 5 potential vulnerabilities, adds more stability and speed but no new features. The security bulletin is posted here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

The Internet Storm Center has been known under a number of different domain names. Starting with incidents.org, moving to isc.incidents.org and isc.sans.org we accumulated some history. These days, the Internet Storm Center is operated by the SANS Technology Institute, which uses sans.edu. To finally reflect this change, we will be using isc.sans.edu as our primary host name going forward.
All old domains will work as before, but in order to clean up some of the cruft, I am going to implement redirects (301) to clean the old domains from search engines. We obtains a multiple domain (UCC)SSLcertificate to support SSLfor all the old domain names.
If you log in, you HAVE to use the isc.sans.edu site. Cookies are set only for isc.sans.edu. Of course, please report any problems you may have.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft announced today they will be releasing a total of 10 bulletins addressing 34 vulnerabilities rated important (7) to critical (3) that could allow for remote code execution. Six bulletins affecting all Windows versions (2 critical and 4 important), two affecting Microsoft office XP, 2003 and 2007 (2 important), one affects Windows and Office (important) and one affects Internet Explorer (critical). More details available here.
Two other publicly known security issues will be addressed this month:
Vulnerability in Microsoft SharePoint - Security Advisory 983438
Vulnerability in Internet Explorer - Security Advisory 980088
[1] Microsoft Security Response Center Blog
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

tcpdump is one of those utilities we take for granted. Ask in any networking class, and more or less everybody has used it before and knows how to use it. tcpdump was first written in 1987 as a research project. Since then, the library behind it (libpcap)and the tool itself have been ported to more or less any operating system out there and have been incorporated into too many tools to count (Bill Stearn tried [1]).
What is often overlooked: tcpdump is still actively developed. Right now, the latest version is 4.1.1 with libpcap version 1.1.1 [2]. Many operating systems use version 4.0 now by default.
So what changed? What are the things you may not know about tcpdump? Here are some of the favorite items Iran into and please fill free to submit more.

snaplength: it is no longer 68 bytes! New versions of tcpdump (= 4.0) default to a snaplength of 64k. No more need to use -s 0 (but it doesn't hurt).
IPv6 support: the ip[] filter works for all versions of IP BUT IPv6. Also, tcpdump will happily treat packets as IPv4 if the first 4 bits are anything but '6'. If you want to filter for IPv6, use 'ip6'.
The -E option will decrypt IPSEC traffic. You need to know the shared secret or secret key of course and not all algorithms are supported.
-Z username will drop root privileges and run tcpdump as username after it started. (many versions now do this by default using a pcap user).
portrange:a macro that can be used to filter a range of ports (e.g. portrange 0-1023).
less/greater:filter packets by length.
new versions of tcpdump will print more then one line if the '-v' switch is used (breaks a lot of old shell scripts that use grep and such to filter)
there are now a number of macros for common offsets. For example tcp[tcpflags] is equivalent to tcp[13].
the proto macro will only match the next header field in the IPv6 header, which may not be the transport layer protocol that you expect from IPv4.
the -C option can be used to rotate files after they reach a number of mbytes (don't confuse with lower case -c).

Know any more hidden and forgotten features? Let us know....


[1] http://www.stearns.org/doc/pcap-apps.html

[2] http://www.tcpdump.org
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

In last couple of days there has been an outbreak of clickjacking attacks on Facebook's Like plugin. For those unfamiliar with Facebook, this plugin allows users to mark certain pages as interesting, and subsequently in their profile a statement will appear that they like certain content.



Since we received a lot of e-mails from our readers about these attacks (and certainly some media covered variants of them), I decided to analyze one which is still up and working as I found it pretty interesting.



The main idea of this attack is to get a user to click on a hidden link while the user thinks he is actually clicking on something else this is the basis for clickjacking attacks. So, let's see how it's done in Facebook's example.



The main malicious web page tries to entice the user to click on it to see the rest of the so called best passport application rejection in history. The web page just contains a single JPG image and you can see below what it looks like:

Now, what happens behind the scenes is pretty interesting. The HTML source contains two obfuscated JavaScript elements and an iframe that do all the work.



Let's first see what the iframe does:

The div tag sets this iframe completely invisible (and the attacker makes sure that this works in every browser by using all the possible opacity combinations). Then the iframe points to the Like plugin at Facebook, and sets the href parameter to the target web site (the credittreport.info site).
This is what shows in the iframe:

Yes, there are 15,687 people infected with this.

Now comes the interesting part how to make the user click on this, relatively small icon. The second obfuscated JavaScript element tells the rest of the story:

Let's analyze this JavaScript code. In line 2 they get the icontainer element this element holds the iframe, you can see in the iframe code above that the div tag uses the id icontainer. The standardbody object will contain the document body. Now, let's skip to line 21 this line defines a handler for mouse movement. So, every time the mouse is moved, this function, starting with line 22 is called. The function checks if the iflag variable is 0 (and it is, until the user clicks on the hidden element). If the variable is 0, the mouse movement handler will call the mouseFollower() function. And this is the main trick the mouseFollower() function actually moves the iframe to follow the mouse! So the attackers made sure that no matter where you click on the web page, you will land on the hidden Facebook button and infect yourself by posting a message on your profile saying that you like this malicious site. When a friend of yours click on that link, he/she will be taken to this web page again and no matter where they click, they will end up doing the same! If you close the window, nothing will happen.
Attacks such as this one have become increasingly popular lately, so be careful what you click on, no matter if it's in Facebook or not. If you are a Facebook user, be especially careful of all links, especially those that require you to click on something else to see the real content.
While this isn't really a vulnerability in Facebook, it does appear that their team will have to step up and implement some controls to prevent clickjacking attacks such as this one.
-- Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Anew strain of MACMalware is being reported by Intego- OSX/OpinionSpy.
You can find details here:

http://blog.intego.com/2010/06/01/intego-security-alert-osxopinionspy-spyware-installed-by-freely-distributed-mac-applications/

http://webcache.googleusercontent.com/search?q=cache:tWyWhF_d-30J:blog.intego.com/+flv+mp3+integocd=1hl=enct=clnkgl=caclient=firefox-a
So far, it has been seen on a number of screensavers, and a small java/php app generally named mac_flv_to_mp3.php or similar, but be cautious on downloads, it's a simple bolt-on, so be on the lookout for it elsewhere.
The neat thing about this malware is that it passes most static scan tests - the downloaded software itself is clean, the malware is downloaded as part of the installation process. This highlights the requirement for an on-access virus scanner for your OSX computers. Ihate to bring that advertisementup again, but the viruses? oh, mac's don't have that problemstatement was both not true and a huge red flag for malware authors.
Thanks to several readers for both pointing us to this article, and shooting us a copy of the actual code !
=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I received a disturbing (to me) piece of SPAM this morning:

As happens occasionally, this one sailed through our SPAM filter, but it got my attention for a number of reasons



The spelling and grammar are pretty good - this does not look like your typical spam

It doesn't ask for money
It does ask for your personal information
It pretends to come from a charity that has a long history of delivering services via volunteering.
After a bit of digging, this looks like a new specimen, just cropping up over the last few days (I could be wrong on this, please correct me if so)
I think it bothers me so much at a personal level because H for H is a favourite charity of mine - where else can you do so much good, and get to use your power tools at the same time?



As you'd expect, the text of the reply to looks like a legit-sounding address, but under the text, the actual link goes to a bogus gmail account.



So, I thought - what to do? I haven't been an admin responsible for a corporate mail server in several years - is this kind of spam normal these days? My best answer to this question was ask the readers at ISC - any comments that any of you might have on this spam-bit, or any trend that it may represent would be very much appreciated. Please use the comment button, and pass along any info you may have.



As a trend, we see that SPAM tends to follow the news. I'd expect that we're seeing SPAM about the BP oil disaster in the Gulf of Mexico, and also about the Pacaya volcano eruption near Guatemala City. Are you seeing spam taking advantage of these events?



Just to feed the discussion a bit more - what's next? Will we be seeing SPAM from bogus medical labs - There may be an issue with your recent blood test, please enter your information to verify or some-such? How far will these low-lifes go to get our info or cash?
I'd like to say I'm disappointed in our fellow online denizens, but really the worse these get, the more I almost seem to expect them.
Please comment, let us know what you're seeing out there spam-wise !
=============== Rob VandenBrink Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.