Lawman Technology and Consulting Group LLC

More information at http://www.mozilla.com/en-US/firefox/3.6.7/releasenotes.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

According to the arguments presented by Handler Lenny when the Infocon level was increased, we believe that the purpose of increasing the awareness on this vulnerability has been fulfilled, so we are falling back to green level. This does not imply that the threat is over.
If we see a major attack arise using this vulnerability, we will let you know and if it is bad enough we will raise infocon again.
Update: There is an interesting article from Didier Stevens about how to mitigate LNK exploitation with software restriction policies. Read it at http://blog.didierstevens.com/2010/07/20/mitigating-lnk-exploitation-with-srp/.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerabilityand to help preempt a major issue resulting from its exploitation. Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far.
Although the original attack used the LNK vulnerability to infect systems from a USB key, the exploit can also launch malicious programs over SMB file shares. In one scenario, attackers that have access to some systems in the enterprise can use the vulnerability to infect other internal systems.
We discussed the LNK vulnerabilityin a diary a few days ago. That note pointed toMicrosoft's advisorythat described the bug Windows Shell Could Allow Remote Code Execution, which affects most versions of Windows operating systems. Microsoft's workarounds for the issue include:

Disable the displaying of icons for shortcuts. This involves deleting a value from the registry, and is not the easiest thing to do in some enterprise settings. Group Policy-friendly options include the use of Registry Client-Side Extensions, the regini.exe utility and the creation of a custom .adm file: seeDistributing Registry Changes for details.
Disable the WebClient service. This will breakWebDAV and any services that depend on it.

Another approach to mitigate the possible LNK attack involves the use ofDidier Stevens' toolAriad. Note that the tool is beta-software operating in the OS kernel, so it's probably not a good match for enterprise-wide roll-out.
Additional recommendations for making the environment resilient to an attack that exploits the LNK vulnerability include:

Disable auto-run of USB key contents. This would address one of the exploit vectors. For instructions, see Microsoft KB967715.
Lock down SMB shares in the enterprise, limiting who has the ability to write to the shares.

Sadly, enterprises that are likely to ever disable auto-run and lock down SMB file shares, probably have done this already back whenthe Conficker worm began spreading. Another challenge is that Windows 2000 and Windows XP Service Pack 2 are vulnerable, yet Microsoft no longer provides security patches for these OS.As the result, we believe most environments will be exposed until Microsoft releases a patch. We're raising the Infocon level in the hope that increased vigilance will increase enterprises' ability to detect and respond the attacks that may use the LNK vulnerability.
Update:Several readers recommended focusing on preventing unauthorized code from running by using approaches such as application whitelisting. For instance, Richard andErno mentioned AppLocker, which is an enterprise software control feature built into Windows 7. Erno wrote, My solution is standard user accounts and Software Restriction Policy or AppLocker in Group Policy. You can block execution of any files on removable drives or network drives, or actually pretty much anywhere except system folders. In my networks I only allow execution from Windows and Program Files. Remember to apply the software restriction policy for all executable files, including libraries (dlls). By the way, this is the kind of approach Jason Fossen and I explore in the new course we are about to debut, called Combating Malware in the Enterprise.
Do you have recommendations for addressing the LNK issue?Let us know.
-- Lenny
Lenny Zeltser - Security Consulting

Lenny teaches how toanalyzeand combat at SANS Institute. You canfind him on Twitter.


(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

For all those who like truecrypt, version 7.0 is out there. Some of the new features are:

Hardware-accelerated AES
Now it is possible to configure TrueCrypt container on a USB flash drive to mount the drive automatically whenever you insert the USB flash drive into the USB port. This is cool.
Partition/device-hosted volumes can now be created on drives that use a sector size of 4096, 2048, or 1024 bytes (Windows, Linux).
Favorite Volumes Organizer this means that now you can organize your mounted device upon logon to system as read only or removable medium
The Favorites menu now contains a list of your non-system favorite volumes. When you select a volume from the list, you are asked for its password (and/or keyfiles) (unless it is cached) and if it is correct, the volume is mounted. (Windows)



More information at Truecrypt website.

-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Apple is reporting new version of iTunes (9.2.1), which address CVE-2010-1777: A buffer overflow exists in the handling of itpc: URLs, which might lead to application termination or arbitrary code execution.
More information at http://support.apple.com/kb/HT4263.
This affects version 9 of iTunes, and only on the Windows platform.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

More of the LNKvulnerability. Additional fromour first report from Handler Joel and Infocon raising from Handler Lenny, there is now a Metasploit module that implements the exploit with the WebDAV method.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

We observed anincrease on UDP connections that use UDP port 5060. This port is typically used for VoIP connections using the SIP protocol. The activity is indicative of attempts to locate weakly-configured IP PBX system, probably tobrute-force SIP passwords. Once the attacker has access to the account, they may use it to make or resell unauthorized calls. The attacker may also use the access to conduct a voice phishing (vishing) campaign.

We observed a similar up-tick a few months ago. At the time, the activity was attributed to SIP brute-forcing that probablyoriginated from systems running in Amazon's EC2 cloud.
As described on the Digium blog, publicly-accessible SIP systems areseeing large numbers of brute-force attacks. Systems with weak SIP credentials will be compromised, similarly to how email accounts can be compromised by guessing the credentials The significant difference is that when someone takes over a SIP platform to make outbound calls, there is usually a direct monetary cost, which gets peoples attention very quickly.
One way to review your SIP exposure is to use the freeSIPVicious toolkit. Interestingly, SIPVicious now includes a tool forcrashing unauthorized SIPVicious scans.
A few security recommendations for those using the popular Asterisk IP PBX tool:

Automatically Block Failed SIP Peer Registrations
Seven Steps to Better SIP Security with Asterisk

Thanks toAdam Fathauer and Thomas B. Rcker for sharing the details of some of the malicious acrivities with us! Also, thanks to ISC handler Donals Smith for his insights on this topic.
-- Lenny
Lenny Zeltser - Security Consulting

Lenny teaches how toanalyzeandcombatat SANS Institute. You canfind him on Twitter. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

If you don't like command mode to interact with metasploit, I have good news for you: there is a new Java GUI. Don't forget to install Java to execute it. More information at http://pauldotcom.com/2010/07/metasploit-new-gui.html.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

One of the biggest threats to effective incident response is correlating events and being aware of real incidents happening inside your network. There are some commercial alternatives like Cisco MARS and RSA Envision, but many companies can't afford those alternativesand in many situations the size of the network is not big enough to make worth the acquisition of any commercial product.
I have lived the last case and in my search I found very useful SAGAN (http://sagan.softwink.com/). It is a real time event log monitoring system that is able to detect incidents on hosts or network and can correlate information with the snort sensor present on your network. It gathers syslog events and then correlates them with other alerts such as snort logs.
What are the installation requisites? A database to save logs(I use mysql but there is also support for postgresql for those who like it), libpcre, libesmtp (http://www.stafford.uklinux.net/libesmtp/libesmtp-1.0.4.tar.gz). My setup was done on Ubuntu 10.04. The configure command used before compiling is ./configure --disable-postgresql. If everything goes well you should see the following:




Following step is to install the rules. By default, they are located at /usr/local/etc. Find the latest ruleset at http://sagan.softwink.com/rules. Uncompress it at /usr/local/etc. Create sagan unprivileged user and chown /var/log/sagan and /var/run/sagan to sagan user.
Want to get windows events to correlate too? Use http://code.google.com/p/eventlog-to-syslog/
I will show you a practical example next tuesdayon part 2 :) More information about installation at https://wiki.softwink.com/bin/view/Main/SaganHOWTO
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

We've received plenty of information over the past couple days about this alleged vulnerability in Windows's lnk file, and it's use against SCADA networks.
http://www.theregister.co.uk/2010/07/16/windows_shortcut_trojan/
http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/
UPDATE: Two of our Handlers have copies of it now on their analyzation systems. Thank you, we will analyze it.
UPDATE 2: We have been notified via our comments that Symantec has definitions for this malware as well now.
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
UPDATE 3 (from Bojan):
Microsoft posted the advisory about the vulnerability in Windows Shell that has been exploited in some targeted attacks (the advisory is at http://www.microsoft.com/technet/security/advisory/2286198.mspx).
I've tested the exploit and can confirm that it works in Windows XP, Vista and Windows 7. The exploit uses a specially crafted LNK file. This file allows the attacker to execute an arbitrary file by carefully specifying its location the LNK file in itself does not exploit any vulnerability such as buffer overflows, for example, so it is a legitimate LNK file. The LNK file used in targeted attacks was manually crafted as some fields that are normally present, such as CreationTime, AccessTime or WriteTime are all set to 0.
I will not be posting details about how the exploit works, but here are some things that you should be aware of:

If autorun is disabled, when a USB device with malicious LNK files is inserted, the exploit will not be triggered automatically.
The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is it does not have to be on a USB device, but in order to execute to malicious binary, the attacker has to specify its location correctly.

What makes this vulnerability extremely serious is the fact that it can be opened from any place, including remote shares, for example. The victim just has to browse to the remote share in order to trigger the vulnerability. So double check permissions on any remote shares you use in your companies (you shouldn't allow users to write in root folders, for example).
Some AV vendors started adding detection for these LNK files, although it is still very, very bad.
We will, of course, keep an eye on the development of this.
UPDATE4 (from Bojan):
A PoC that exploits this vulnerability has been posted today. Iwould recommend everyone to take a look at Microsoft's advisory that is available at http://www.microsoft.com/technet/security/advisory/2286198.mspx, especially the workarounds section (Disable the displaying of icons for shortcuts).
--
Bojan (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

This is a notification just to let you know that ISC.org has released a new version of BIND, 9.7.1-P2. This reverses a change made in 9.7.1.
The change attempted to correct the behavior of a validating recursive resolver when explicitly queried for records of the type 'RRSIG'. These queries do not occur in normal DNSSEC operation, because RRSIG records are ordinarily returned along with the records they cover. query can be used for manual testing purposes. As a result of the change in 9.7.1, if the cache did not contain any RRSIG records for the name, such a query would trigger an endless loop of recursive queries to the authoritative server.
This patch backs out that change, and this will be fixed in a future release. So, those of you that upgraded to 9.7.1-P1, you'll need to apply this patch.
It can be downloaded from
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I am seeing a large amount of spam hit our network that has been successful at fooling our spam filter.The

emails contain .zip and .html extensions with various file names. The subject also varies. Some subjects

that I have seen are:
Your Funds Will Be Transferred

From Jan RIchter (name varies)

Newest Products

Latest Software



The zip file is being analyzed to determine what payload may be involved.You may want to remind your email

users to refrain from opening any attachments that they weren't expecting to receive.
UPDATE: We have received some information from one of our readers that the zip file that he received contained

a multiple exploit-kit downloader. He indicated that there are over 120,000 successful downloads of the exe file.

They have discovered that IPaddress 173. 204. 119 . 122 is where the file appears to be hosted at and is being

updated with new binaries consistently. The downloader appears to grab a few files with random file names and

have been observed connecting too imagehut4 .cn, allxt .com, hitinto .com. Jason indicates that all files appear

to run fully under Windows VMWARE and are resistant to detection by many of the common threat programs.



Many thanks to Jason for supplying us with the information.
We also have received a report of emails that are hitting which tell the recipient that they letter cannot be opened

due to low screen resolution. It says that they need to open the attached zip file for the message. Again the filename

for the zip file varies. Thanks to Jason R for this information.


Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I came across an article yesterday at secunia.com. Secunia is a leading provider of Vulnerability Intelligence and tracks the evolution

of security threats. They have posted their Half Year Report 2010 which includes some interesting trends and statistics. This

information may be of interest to some of our readers so I thought it might make an interesting diary.


The key highlights of the Secunia Half Year Report 2010 are:

Since 2005, no significant up-, or downward trend in the total number of vulnerabilities in the

more than 29,000 products covered by Secunia Vulnerability Intelligence was observed.

A group of ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco, account on

average for 38 percent of all vulnerabilities disclosed per year.
In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user

PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the

number is expected to almost double again in 2010 to 760.
During the first six months of 2010, 380 vulnerabilities or 89% of the figures for all of 2009

has already been reached.
A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24

3rd party programs installed than in the 26 Microsoft programs installed. It is expected that

this ratio will increase to 4.4 in 2010.

The report does a good job of discussing the current trends and statistics and highlights what they are seeing for vulnerabilities.
To review thefull report you canseecheck it out athttp://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf.
Deb Hale Long Lines, LLC
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview of theJuly 2010 MicrosoftPatchesand their status.
Important:with today's patches, support for XPSP2 officially comes to an end. There will be no more patches for XPSP2 after today.




#
Affected
Contra Indications
Known Exploits
Microsoft rating
ISC rating(*)


clients
servers





MS10-042
Vulnerability in Help and Support Center Could Allow Remote Code Execution


Windows XP SP2 and above, Windows Server 2003 SP2

CVE-2010-1885
KB 2229593
actively being exploited
Severity:Critical

Exploitability: 1
PATCH NOW!
Critical



MS10-043
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution


Windows7 x64, Windows Server 2008 R2 x64

CVE-2009-3678
KB 2032276
no known exploits.
Severity:Critical

Exploitability: 2
Critical
Critical



MS10-044
Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution


Access 2003 SP3, Access 2007 SP1 and above

CVE-2010-0814

CVE-2010-1881
KB 982335
no known exploits.
Severity:Critical

Exploitability: 1,1
Critical
Critical



MS10-045
Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (Replaces MS09-060 )


Outlook

CVE-2010-0266
KB 978212
no known exploits.
Severity:Important

Exploitability: 1
Critical
Critical






We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.


The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them



---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

The folks at VMware folks have posted a new bulletin and update to address a privilege escalation in a non-default configuration of appliances created with VMware Studio 2.0.
---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 coming to central OHin Sep, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

The results of the SANSForensics Challenge (aka the 6th challenge from Jonathon Ham and Sherri Davidoff at http://forensicscontest.com) were announced last week at the SANSForensics and Incident Response Summit. The winning entry was submitted by Wesley McGrew and included a cool new tool, pcapline.py. The other finalists also came up with some interesting tools, so be sure to check out all of them.
---------------

Jim Clausing, jclausing --at-- isc [dot] sans (dot) org

FOR408 is coming to central OH in Sept, see http://www.sans.org/mentor/details.php?nid=22353 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

In last month's diary I asked two main questions.
How would I really know if there was malware on my smart phone?
How do we really know that mobile malware is not widespread right now?
So a poll was created asking for your experiences.
One reader commented asking what the definition of malware was. Given that most of the readers of this diary are sufficiently knowledgeable about security to dismiss tracking cookies and other such things, I have to believe that only true malware is being reported.
I hope you reported the cookies.
The results and some preliminary analysis follows:
DISCLAIMER: This is not a scientific poll, I am not a statistician and this should in no way be construed as an effort to spread FUD.
Of 540 respondents to date (the six respondents listing other have been removed as their methods and results were not described)
83 of 540 (15.3%) of respondents were scanning for malware.
15 of 83 (18.1%) who were looking for malware on their mobile device found it.
457 of 540 (84.6%) were not scanning their devices.
Now, 540 responses is not a particularly large sample, but I have been monitoring the statistics as responses are entered and the percentage of people reporting they found malware consistently ranged from 15-20% so 18.1% seems to be a reasonable number. Likewise the percentage of people who were not scanning ranged consistently from 82-86%
Based on those numbers, 83 of the 457 people who responded who were not looking for malware would be infected. Ouch.
How many mobile devices are out there right now?
How many in your office building? How many in your city, your state, your country?
How many in the world?
Let's say these numbers are double what would be seen in the population at large.
Even so, if 9% of all the smart phones were infected with malware (especially if we didn't know it), that would be cause (IMHO) for alarm.
I couldn't find any good numbers on existing smart phones but according to this ZD Net Article Credit Suisse projected that total smartphone sales for 2009 will end up at around 176 million units. In the years ahead, Credit Suisse expects the smartphone market to balloon to around 1.5 billion units. By comparison, worldwide unit sales of all mobile phones in 2009 will be about 1.2 billion and worldwide unit sales of all PCs in 2009 will be about 300 million.
Let's say the Credit Suisse was way, way off and we'll say there are only 100 Million smart phones in the world today.
And we'll say that even the 9% above was way off and it's half that, which would be only 25% of what the poll you responded to said.
4.5 Million infected devices.
1.5 Billion Units? I don't even want to think about it.
Do the math. Plug in your own numbers. Check your smart phones.
So my delayed, and corrected answer to the gentlemen at SANSFire who asked Will this year be the year that malware on mobile devices becomes a problem? is:

I think it is. We just don't know it.
}







Will you be following up with a site you can point your mobile app to that can scan it online?

I know my handy phone has started using it's entire battery life in under 12 hours - ever since I downloaded a ring tone. So I'm really worried.

By the way, how do you look and see what's running on a mobile app? I don't see any cmdline prompt.




Any recommendations for mobile AV?





Thanks Mikel











I don't know of any site that you can point your mobile device to and have it be scanned online. and I would think that data charges for that would be prohibitive unless you had a truly unlimited data plan.

As for recommendations, it's no secret I'm not a fan of signature based AV. However, this is a case where something is better than nothing.

A defense in depth approach would be to use a different vendor on your smart phone than you use for your PC AV and then if possible, scan your device either on insertion to your PC or manually.

I'm not sure what OS is on your device, but if it's Windows Mobile, task manager is there.





Christopher Carboni - Handler On Duty
http://twitter.com/ccarboni (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Oracle has published the Oracle Critical Patch Update Pre-Release Announcement for July 2010. The announcement states that Oracle is releasing 59 vulnerability fixes, including 21 for Solaris products. Of course these numbers may change between now and the expected release date, July 13, 2010.

--Tony Carothers
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Cisco recently released an update to their Industrial Ethernet 3000 (IE 3000) Series switches in which two software versions have a hard-coded SNMP address vulnerability. A workaround and software update is available. I would like to point out a detail in this advisory that seems pertinent given the industrial application of these devices. On the notification page is another advisory: Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment

--Tony Carothers (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.