Lawman Technology and Consulting Group LLC

The Google Online Security Blog posted a brief article on their opinion the full vs responsible disclosure debate... likely in the wake of the controversy of one of their researchers publishing a security vulnerability. The debate on publishing security vulnerabilities has been and remains a hot one. Almost all vendors support responsible disclosure(a term that I absolutely detest) where a researcher discloses the bug only to the software vendor who then (hopefully) patches the bug. Full disclosure is publishing the vulnerability publicly once it is discovered (or in some cases, once a PRfirm has been hired to manage the hype).
There are pros and cons to both approaches. Responsible disclosure really only works when there is responsible software development. However, if the good guys have the vulnerability, the bad guys have it and at least 12 more. With the exception of the few vendors which buy vulnerabilities, responsible disclosure does not allow the security community to develop counter-measures to protect against the threat while a patch is being developed. For instance, it took about a week for software to be developed to detect the LNKvulnerability and there are still problems with it. On the other hand, full disclosure hands the details to the bad guys in public so they can immediately exploit the vulnerability. It does, however, get vendors and researchers to move quickly.
What are your thoughts on how disclosure should be handled?
--

John Bambenek

bambenek at gmail /dot/ com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

SophosLabs has just released a free tool that provides detection against the Windows shortcut exploit that we published last week here and here. Sophos has indicated it works with any antivirus software and it works with Windows XP/Vista/7 but not 2000. When Windows tries to display an icon with a shortcut, the tool will intercept the request in order to validate it and give back control to the user if not found to be malicious.
SophosLabs has made a video available on what is the exploit and how the tool works here and the tool is available for downloaded here.
Update 1: This tool currently only protects against LNK files and does not protect against PIF based exploits. It also does not protect against LNK files or targets stored on the local disk. Thanks to ISC reader Gerrit for the additional information.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

I've been out of touch the last month or two with special projects and vacation so today was my day to catch up on some old email. One item that caught my interest is an update to one of Mandiant's free tools, Web Historian to version 2.0. If you are an incident responder or forensic investigator Web Historian may be of interest to you.
Web Historian is a great tool for collecting and analyzing web browsing history information. The original version of this software dates back a few years to when Mandiant was still RedCliff and was showing a little rust. The new version is a complete rewrite and redesign of this popular tool. This version of Web Historian has a bunch of new features and supports Firefox 2/3+, Chrome 3+, and Internet Explorer versions 5 through 8.
For more information about Web Historian 2.0 see the Mandiant Blog.
To download and try Web Historian 2.0 go to the download page.

-- Rick Wanner - rwanner at isc dot sans dot org - http://rwanner.blogspot.com/ (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

There is nothing new on the issue of unsecured sensitive data traveling across the network in plain-text. In fact, many popular websites use SSL to crypt information because they became aware of the man in the middle attack, soowners secured their webpages to avoid the attack.
Unfortunately, there are many companies that thinks nothing will happen if they use plain-text to send logon information. You can say there is noproblem with hashed passwords, but they are not enough. Rainbow tables are widely used so if a hash is grabbed from the network, it will be cracked in no time.
Delivering SSL and authenticating both ends might be a cheap and reliable solution for this. Yes, I know SSL is vulnerable to Man-in-the-middlleattacks,but it you authenticate certificates on both ends and pay attention when something like this appears, the risks is adecuately minimized:


How many of us have clicked directly into continue to this website without paying attention on what is the error in the certificate?
I have seen universities where students capture professor's usernames and passwords and start to sell grade changes. I have seen many hijacked e-mail accounts on ISPs that doesn't crypt logon information.
These controls are easy to deploy: IIS hasSSLclient certificate authenticationand Apache also implements it. If you use all the available security functionality you have in your IT infrastructure,you will minimize many information security risks like this one.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

-- Rick Wanner - rwanner at isc dot sans dot org - http://rwanner.blogspot.com/ (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

-- Rick Wanner - rwanner at isc dot sans dot org - http://rwanner.blogspot.com/ (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

gpgsm is a tool similar to gpg designed to provide digital encryption and signing services on X.509 certificates and the CMS protocol. There is a bug with this tool when importing a X509 certificate with more than 98 subject alternate names or implicitly while verifying a signature.

Version 2.0.16 is affected and older versions should be affected as well. More information at http://lists.gnupg.org/pipermail/gnupg-announce/2010q3/000302.html
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Wewould like to clarify something to our readers because of an e-mail received today.There are two types of diary: One-liners where we tell you things you should know and where we don't have anything else to add and full diarieswhere we discuss a subject. For example, we use one-liners to talk about many updates on popular software.We just pointyou to the link.These are not advertisement to other companies :)
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

When teaching Security Essentials (sec401) we often talk about one of the more useful hacking tools in everyone's arsenal, a browser. Wielding a browser in the right manner can expose all kinds of interesting information as is the case with vBulletin version 3.8.6.
vBulletin, used to power online discussion sites has a serious flaw in vB 3.8.6. Browsing to the FAQ page on a vulnerable site and searching for the correct term will disclose the database credentials which can then be used to further compromise the site (http://www.securityfocus.com/archive/1/512575). It shows that vulnerabilities do not need to be complex. It also shows that code review, testing and of course input validation is essential.
The vendor jumped on the issue quickly and provides a patch on their site. Later versions of the product that are not vulnerable are also available. There do still seem to be sites up running the vulnerable code. If yours is one of those, you may want to patch soon.
MH (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

In addition to stuxnet which has been using the LNK vulnerability to exploit systems since approximately the 14th of this month (possibly longer) a few researchers have been mentioning that they have encountered additional malware utilising the LNK vulnerability. eset has a write up here on what they have found -http://blog.eset.com/2010/07/22/new-malicious-lnks-here-we-go
Until patched expect more.
MH (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Usually when I receive an email that looks like spam, I can just mash my Send to Junk keyboard shortcut and it goes away. But every once in awhile there is a decent looking spam that *might* be real. At first glance it won't have an images or selling viagra, or anything like that in it, and might just look real.
This is where the common sense approach to reading email kicks in. Obviously this post it not for the expert, this is probably more of the occasional user, but maybe someone in between will find it useful.
Here's a spam I received this morning that prompted me to write this diary:
From: Comcast
This is a courtesy reminder that your Comcast Billing Information needs to be verified.
In order to continue using comcast services, click the link below, sign in and and follow the provided steps:


Malicious Link was right here



Regards,

Comcast Billing Department
So, let's look at this and see how easy this is to detect:

I'm not a Comcast customer. So right there, it was easy to detect.
comcast in the second line is not capitalized. A real Comcast email would have capitalized their own companies name.
Usually an email like this (from Comcast corporate) would tend to have all kinds of disclaimers and other nonsense at the bottom of the email.
The link that I removed was not to comcast.com

Now, if we get into the weeds a bit more, we can look at the headers and see where it came from.
It came from a server at a .edu. I don't want to talk about which .edu (but it was in the United States), as I am going to try and get in touch with their security department after I get done writing this Diary.
Even more bad though -- it came from the root account on this server, the headers even indicate what version of Linux this server was running (Ubuntu). Most likely culprit? Probably an SSH scan that compromised the root account.
Make sure you have tight controls over those SSH accounts! And use common sense when reading your email. If it looks like bull, and it smells like bull. Chances are, it's bull.
Hopefully this helped someone.
Oh, the malicious link? Pointed you to a site that collected your usernames and passwords.
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Note that this malware does NOT exploit 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198. It simply uses the autorun.inf to launch the executable, or waits for the user to double click the .LNK file. I wrote up this diary before fellow handler Bojan pointed that out to me.
Aaron wrote in the following:

We had a user get infected ... The symptoms we saw were as follows:

The virus hides all folders on the root of any drive it has write access to.
It then drops an LNK file named the same as all of the folders. So you have a series of LNK files where your folders used to be. This appears to only happen at the root of the drive(s) the user has write access to.
Then the virus drops an autorun.inf, EXE, and SRC file at the root of the infected drives.



One of the things we did to scan our server shares was to run robocopy in list-only mode. We used a command similar to this:

robocopy servershare c: *.lnk /MAXAGE:2 /L /S /R:3 /W:3 /NDL

It scans for any LNK files created in the past 2 days. The reasoning is that LNK files should not be created very often on shares, so a large number of them would be suspicious.

He also sent us a copy of the files found on the affected system. The virustotal results virustotal.com results yesterday were 11/36 (30.56%).
This is what the .LNK file looks like:
xxd Backup Drive.lnk

0000000: 4c00 0000 0114 0200 0000 0000 c000 0000 L...............

0000010: 0000 0046 cb00 0000 0700 0000 0000 0000 ...F............

0000020: 0000 0000 0000 0000 0000 0000 007b b54b .............{.K

0000030: 7627 cb01 00c2 0100 0300 0000 0100 0000 v'..............

0000040: 0000 0000 0000 0000 0000 0000 7500 1400 ............u...

0000050: 1f50 e04f d020 ea3a 6910 a2d8 0800 2b30 .P.O. .:i.....+0

0000060: 309d 1900 2f43 3a5c 0000 0000 0000 0000 0.../C:........

0000070: 0000 0000 0000 0000 0000 0046 0032 0000 ...........F.2..

0000080: c201 00f3 3c87 9907 0066 6f65 7576 652e ........foeuve.

0000090: 7363 7200 002c 0003 0004 00ef be00 0000 scr..,..........

00000a0: 0000 0000 0014 0000 0066 006f 0065 0075 .........f.o.e.u

00000b0: 0076 0065 002e 0073 0063 0072 0000 001a .v.e...s.c.r....

00000c0: 0000 004a 0000 001c 0000 0002 0000 0000 ...J............

00000d0: 0000 0000 0000 001c 0000 003f 0000 0023 ...........?...#

00000e0: 0000 0003 0000 0014 0000 0020 0000 0000 ........... ....

00000f0: 00fe 7f5c 5c43 6c69 656e 745c 4324 0043 ...ClientC$.C

0000100: 3a00 666f 6575 7665 2e73 6372 000c 002e :.foeuve.scr....

0000110: 005c 0066 006f 0065 0075 0076 0065 002e ..f.o.e.u.v.e..

0000120: 0073 0063 0072 0021 0025 0073 0079 0073 .s.c.r.!.%.s.y.s

0000130: 0074 0065 006d 0072 006f 006f 0074 0025 .t.e.m.r.o.o.t.%

0000140: 005c 0073 0079 0073 0074 0065 006d 0033 ..s.y.s.t.e.m.3

0000150: 0032 005c 0073 0068 0065 006c 006c 0033 .2..s.h.e.l.l.3

0000160: 0032 002e 0064 006c 006c 0000 0000 00 .2...d.l.l.....
Here are md5sums of the files captured:
4514e6b0ebf1859bc06464cc86e6b0aa 994e7f70c6c8cfdc0d10.lnk

eb72f852dc417e5c1c500d777b763ff5 autorun.inf

4514e6b0ebf1859bc06464cc86e6b0aa Backup Drive.lnk

4514e6b0ebf1859bc06464cc86e6b0aa dellinks.lnk

4514e6b0ebf1859bc06464cc86e6b0aa DELL.lnk

4514e6b0ebf1859bc06464cc86e6b0aa Documents and Settings.lnk

7a86fc2e33f1853e56e87968554a4f23 Documents.lnk

4514e6b0ebf1859bc06464cc86e6b0aa DOS.lnk

6c312fa82a83602bf4bac49c569dddba foeuve.exe

6c312fa82a83602bf4bac49c569dddba foeuve.scr

8dd2dbd509c9e30c9a481fb790521a2a Music.lnk

4514e6b0ebf1859bc06464cc86e6b0aa New Folder.lnk

62ed86349f7d418d67c0e4dbbf2b0b57 Pictures.lnk

4514e6b0ebf1859bc06464cc86e6b0aa Program Files.lnk

4514e6b0ebf1859bc06464cc86e6b0aa QUARANTINE.lnk

4514e6b0ebf1859bc06464cc86e6b0aa RECYCLER.lnk

4514e6b0ebf1859bc06464cc86e6b0aa Root_C.lnk

4514e6b0ebf1859bc06464cc86e6b0aa System Volume Information.lnk

4514e6b0ebf1859bc06464cc86e6b0aa temp.lnk

94ea35e7315ede1f3226b42e8a1197e9 Video.lnk

4514e6b0ebf1859bc06464cc86e6b0aa Vision5.lnk

4514e6b0ebf1859bc06464cc86e6b0aa VNCTEMP.lnk

4514e6b0ebf1859bc06464cc86e6b0aa WINDOWS.lnk
The .LNK files affected all have the same hash value, the two dropped files as well (foeuve.*) share md5sums. Here is the contents of autorun.inf:
cat autorun.inf

[AUtoRUn]

aCTION=Open folder to view files

SHeLLEXECuTe=FOeUVE.EXE

IcoN=%syStEMRoOt%sySTEm32Shell32.dll,4
Today the virustotal.com results for foeuvre.scr are similar, 23/41 (56.1%).
Thanks Aaron!
So, in a nutshell, not the exploit or malware we were looking for, but interesting nonetheless.
Cheers,

Adrien de Beaupr

EWA-Canada.com
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

A Dell support forum post confirms that PowerEdge R410 replacement motherboards contain malware. The posting is here en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx. The embedded server management firmware in some motherboards contain the malicious code. The issue is not present on new servers and does not impact non-Windows based servers. No further information on the malware itself, mitigation techniques, the specific motherboards affected, nor the method of the original infection are yet available. Dell is sending snail mail and calling affected customers. Thanks Geoff and one other reader for bringing this to our attention!
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe have announced that Reader will run in a sandbox called Protected Mode blogs.adobe.com/asset/2010/07/%20introducing-adobe-reader-protected-mode.html. It is based on Microsoft's Practical Windows Sandboxing blogs.msdn.com/b/david_leblanc/archive/2007/07.aspx. This is good news as it will drastically reduce the attack surface of Adobe Reader and mitigate the impact of any vulnerabilities within the product.
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft have updated their security advisory 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198 to describe further attack vectors for this vulnerability. The vulnerability can be exploited using .LNK files on removable drives, via WebDav and network shares, using .PIF files as well as .LNK, and documents that can have embedded shortcuts within them. The original discussion on this vulnerability is here isc.sans.edu/diary.html?storyid=9181



The ISC has previously raised the infocon isc.sans.edu/diary.html?storyid=9190 with regards to this issue, and will continue to monitor for any changes. Please let us know via our contact us page or by commenting below if you have any new information on the issue, have been affected by this vulnerability being exploited, or have a copy of malware taking advantage of it.
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.