The Glider

One of the biggest threats to effective incident response is correlating events and being aware of real incidents happening inside your network. There are some commercial alternatives like Cisco MARS and RSA Envision, but many companies can't afford those alternativesand in many situations the size of the network is not big enough to make worth the acquisition of any commercial product.
I have lived the last case and in my search I found very useful SAGAN (http://sagan.softwink.com/). It is a real time event log monitoring system that is able to detect incidents on hosts or network and can correlate information with the snort sensor present on your network. It gathers syslog events and then correlates them with other alerts such as snort logs.
What are the installation requisites? A database to save logs(I use mysql but there is also support for postgresql for those who like it), libpcre, libesmtp (http://www.stafford.uklinux.net/libesmtp/libesmtp-1.0.4.tar.gz). My setup was done on Ubuntu 10.04. The configure command used before compiling is ./configure --disable-postgresql. If everything goes well you should see the following:




Following step is to install the rules. By default, they are located at /usr/local/etc. Find the latest ruleset at http://sagan.softwink.com/rules. Uncompress it at /usr/local/etc. Create sagan unprivileged user and chown /var/log/sagan and /var/run/sagan to sagan user.
Want to get windows events to correlate too? Use http://code.google.com/p/eventlog-to-syslog/
I will show you a practical example next tuesdayon part 2 :) More information about installation at https://wiki.softwink.com/bin/view/Main/SaganHOWTO
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

We've received plenty of information over the past couple days about this alleged vulnerability in Windows's lnk file, and it's use against SCADA networks.
http://www.theregister.co.uk/2010/07/16/windows_shortcut_trojan/
http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/
UPDATE: Two of our Handlers have copies of it now on their analyzation systems. Thank you, we will analyze it.
UPDATE 2: We have been notified via our comments that Symantec has definitions for this malware as well now.
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
UPDATE 3 (from Bojan):
Microsoft posted the advisory about the vulnerability in Windows Shell that has been exploited in some targeted attacks (the advisory is at http://www.microsoft.com/technet/security/advisory/2286198.mspx).
I've tested the exploit and can confirm that it works in Windows XP, Vista and Windows 7. The exploit uses a specially crafted LNK file. This file allows the attacker to execute an arbitrary file by carefully specifying its location the LNK file in itself does not exploit any vulnerability such as buffer overflows, for example, so it is a legitimate LNK file. The LNK file used in targeted attacks was manually crafted as some fields that are normally present, such as CreationTime, AccessTime or WriteTime are all set to 0.
I will not be posting details about how the exploit works, but here are some things that you should be aware of:

If autorun is disabled, when a USB device with malicious LNK files is inserted, the exploit will not be triggered automatically.
The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is it does not have to be on a USB device, but in order to execute to malicious binary, the attacker has to specify its location correctly.

What makes this vulnerability extremely serious is the fact that it can be opened from any place, including remote shares, for example. The victim just has to browse to the remote share in order to trigger the vulnerability. So double check permissions on any remote shares you use in your companies (you shouldn't allow users to write in root folders, for example).
Some AV vendors started adding detection for these LNK files, although it is still very, very bad.
We will, of course, keep an eye on the development of this.
UPDATE4 (from Bojan):
A PoC that exploits this vulnerability has been posted today. Iwould recommend everyone to take a look at Microsoft's advisory that is available at http://www.microsoft.com/technet/security/advisory/2286198.mspx, especially the workarounds section (Disable the displaying of icons for shortcuts).
--
Bojan (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

This is a notification just to let you know that ISC.org has released a new version of BIND, 9.7.1-P2. This reverses a change made in 9.7.1.
The change attempted to correct the behavior of a validating recursive resolver when explicitly queried for records of the type 'RRSIG'. These queries do not occur in normal DNSSEC operation, because RRSIG records are ordinarily returned along with the records they cover. query can be used for manual testing purposes. As a result of the change in 9.7.1, if the cache did not contain any RRSIG records for the name, such a query would trigger an endless loop of recursive queries to the authoritative server.
This patch backs out that change, and this will be fixed in a future release. So, those of you that upgraded to 9.7.1-P1, you'll need to apply this patch.
It can be downloaded from
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I am seeing a large amount of spam hit our network that has been successful at fooling our spam filter.The

emails contain .zip and .html extensions with various file names. The subject also varies. Some subjects

that I have seen are:
Your Funds Will Be Transferred

From Jan RIchter (name varies)

Newest Products

Latest Software



The zip file is being analyzed to determine what payload may be involved.You may want to remind your email

users to refrain from opening any attachments that they weren't expecting to receive.
UPDATE: We have received some information from one of our readers that the zip file that he received contained

a multiple exploit-kit downloader. He indicated that there are over 120,000 successful downloads of the exe file.

They have discovered that IPaddress 173. 204. 119 . 122 is where the file appears to be hosted at and is being

updated with new binaries consistently. The downloader appears to grab a few files with random file names and

have been observed connecting too imagehut4 .cn, allxt .com, hitinto .com. Jason indicates that all files appear

to run fully under Windows VMWARE and are resistant to detection by many of the common threat programs.



Many thanks to Jason for supplying us with the information.
We also have received a report of emails that are hitting which tell the recipient that they letter cannot be opened

due to low screen resolution. It says that they need to open the attached zip file for the message. Again the filename

for the zip file varies. Thanks to Jason R for this information.


Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I came across an article yesterday at secunia.com. Secunia is a leading provider of Vulnerability Intelligence and tracks the evolution

of security threats. They have posted their Half Year Report 2010 which includes some interesting trends and statistics. This

information may be of interest to some of our readers so I thought it might make an interesting diary.


The key highlights of the Secunia Half Year Report 2010 are:

Since 2005, no significant up-, or downward trend in the total number of vulnerabilities in the

more than 29,000 products covered by Secunia Vulnerability Intelligence was observed.

A group of ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco, account on

average for 38 percent of all vulnerabilities disclosed per year.
In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user

PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the

number is expected to almost double again in 2010 to 760.
During the first six months of 2010, 380 vulnerabilities or 89% of the figures for all of 2009

has already been reached.
A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24

3rd party programs installed than in the 26 Microsoft programs installed. It is expected that

this ratio will increase to 4.4 in 2010.

The report does a good job of discussing the current trends and statistics and highlights what they are seeing for vulnerabilities.
To review thefull report you canseecheck it out athttp://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf.
Deb Hale Long Lines, LLC
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview of theJuly 2010 MicrosoftPatchesand their status.
Important:with today's patches, support for XPSP2 officially comes to an end. There will be no more patches for XPSP2 after today.




#
Affected
Contra Indications
Known Exploits
Microsoft rating
ISC rating(*)


clients
servers





MS10-042
Vulnerability in Help and Support Center Could Allow Remote Code Execution


Windows XP SP2 and above, Windows Server 2003 SP2

CVE-2010-1885
KB 2229593
actively being exploited
Severity:Critical

Exploitability: 1
PATCH NOW!
Critical



MS10-043
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution


Windows7 x64, Windows Server 2008 R2 x64

CVE-2009-3678
KB 2032276
no known exploits.
Severity:Critical

Exploitability: 2
Critical
Critical



MS10-044
Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution


Access 2003 SP3, Access 2007 SP1 and above

CVE-2010-0814

CVE-2010-1881
KB 982335
no known exploits.
Severity:Critical

Exploitability: 1,1
Critical
Critical



MS10-045
Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (Replaces MS09-060 )


Outlook

CVE-2010-0266
KB 978212
no known exploits.
Severity:Important

Exploitability: 1
Critical
Critical






We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.


The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them



---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

The folks at VMware folks have posted a new bulletin and update to address a privilege escalation in a non-default configuration of appliances created with VMware Studio 2.0.
---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 coming to central OHin Sep, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

The results of the SANSForensics Challenge (aka the 6th challenge from Jonathon Ham and Sherri Davidoff at http://forensicscontest.com) were announced last week at the SANSForensics and Incident Response Summit. The winning entry was submitted by Wesley McGrew and included a cool new tool, pcapline.py. The other finalists also came up with some interesting tools, so be sure to check out all of them.
---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 is coming to central OH in Sept, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

In last month's diary I asked two main questions.
How would I really know if there was malware on my smart phone?
How do we really know that mobile malware is not widespread right now?
So a poll was created asking for your experiences.
One reader commented asking what the definition of malware was. Given that most of the readers of this diary are sufficiently knowledgeable about security to dismiss tracking cookies and other such things, I have to believe that only true malware is being reported.
I hope you reported the cookies.
The results and some preliminary analysis follows:
DISCLAIMER: This is not a scientific poll, I am not a statistician and this should in no way be construed as an effort to spread FUD.
Of 540 respondents to date (the six respondents listing other have been removed as their methods and results were not described)
83 of 540 (15.3%) of respondents were scanning for malware.
15 of 83 (18.1%) who were looking for malware on their mobile device found it.
457 of 540 (84.6%) were not scanning their devices.
Now, 540 responses is not a particularly large sample, but I have been monitoring the statistics as responses are entered and the percentage of people reporting they found malware consistently ranged from 15-20% so 18.1% seems to be a reasonable number. Likewise the percentage of people who were not scanning ranged consistently from 82-86%
Based on those numbers, 83 of the 457 people who responded who were not looking for malware would be infected. Ouch.
How many mobile devices are out there right now?
How many in your office building? How many in your city, your state, your country?
How many in the world?
Let's say these numbers are double what would be seen in the population at large.
Even so, if 9% of all the smart phones were infected with malware (especially if we didn't know it), that would be cause (IMHO) for alarm.
I couldn't find any good numbers on existing smart phones but according to this ZD Net Article Credit Suisse projected that total smartphone sales for 2009 will end up at around 176 million units. In the years ahead, Credit Suisse expects the smartphone market to balloon to around 1.5 billion units. By comparison, worldwide unit sales of all mobile phones in 2009 will be about 1.2 billion and worldwide unit sales of all PCs in 2009 will be about 300 million.
Let's say the Credit Suisse was way, way off and we'll say there are only 100 Million smart phones in the world today.
And we'll say that even the 9% above was way off and it's half that, which would be only 25% of what the poll you responded to said.
4.5 Million infected devices.
1.5 Billion Units? I don't even want to think about it.
Do the math. Plug in your own numbers. Check your smart phones.
So my delayed, and corrected answer to the gentlemen at SANSFire who asked Will this year be the year that malware on mobile devices becomes a problem? is:

I think it is. We just don't know it.
}







Will you be following up with a site you can point your mobile app to that can scan it online?

I know my handy phone has started using it's entire battery life in under 12 hours - ever since I downloaded a ring tone. So I'm really worried.

By the way, how do you look and see what's running on a mobile app? I don't see any cmdline prompt.




Any recommendations for mobile AV?





Thanks Mikel











I don't know of any site that you can point your mobile device to and have it be scanned online. and I would think that data charges for that would be prohibitive unless you had a truly unlimited data plan.

As for recommendations, it's no secret I'm not a fan of signature based AV. However, this is a case where something is better than nothing.

A defense in depth approach would be to use a different vendor on your smart phone than you use for your PC AV and then if possible, scan your device either on insertion to your PC or manually.

I'm not sure what OS is on your device, but if it's Windows Mobile, task manager is there.





Christopher Carboni - Handler On Duty
http://twitter.com/ccarboni (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Oracle has published the Oracle Critical Patch Update Pre-Release Announcement for July 2010. The announcement states that Oracle is releasing 59 vulnerability fixes, including 21 for Solaris products. Of course these numbers may change between now and the expected release date, July 13, 2010.

--Tony Carothers
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.