Quarantine your infected users spreading malware

many isp’s who do care about issues such as worms, infected users “spreading the love”, etc. simply do not have the man-power to handle all their infected users’ population.

it is becoming more and more obvious that the answer may not be at the isp’s doorstep, but the isp’s are indeed a critical part of the solution. what their eventual role in user safety will be i can only guess, but it is clear (to me) that this subject is going to become a lot “hotter” in coming years.

aunty jane (like dr. alan solomon (drsolly) likes to call your average user) is your biggest risk to the internet today, and how to fix the user non of us have a good idea quite yet. especially since it’s not quite one as i put in an heinlein quote below.

some who are user/broadband isp’s (not say, tier-1 and tier-2′s who would be against it: “don’t be the internet’s firewall”) are blocking ports such as 139 and 445 for a long time now, successfully preventing many of their users from becoming infected. this is also an excellent first step for responding to relevant outbreaks and halting their progress.

philosophy aside, it works. it stops infections. period.

back to the philosophy, there are some other solutions as well. plus, should this even be done?

one of them has been around for a while, but just now begins to mature: quarantining your users.

infected users quarantine may sound a bit harsh, but consider; if a user is indeed infected and does “spread the joy” on your network as well as others’, and you could simply firewall him (or her) out of the world (vlan, other solutions which may be far better) letting him (or her) go only to a web page explaining the problem to them, it’s pretty nifty.

as many of us know, handling such users on tech support is not very cost-effective to isp’s, as if a user makes a call the isp already losses money on that user. than again, paying abuse desk personnel just so that they can disconnect your users is losing money too.

which one would you prefer?

jose (nazario) points to many interesting papers on the subject on his blog.

this (as well as port blocking) is more true for organizations other than isp’s, but if they are indeed user/broadband isp’s, i see this as both the effective and the ethical thing to do if the users are notified this might happen when they sign their contracts. then all the “don’t be the internet’s firewall” debate goes away.

i respect the “don’t be the internet’s firewall” issue, not only for the sake of the cause but also because friends such as steven bellovin and others believe in them a lot more strongly than i do. bigger issues such as the safety of the internet exist now. that doesn’t mean user rights are to be ignored, but certainly so shouldn’t ours, especially if these are mostly unaffected?

i believe both are good and necessary solutions, but every organization needs to choose what is best for it, rather than follow some pre-determined blueprint. what’s good for one may be horrible for another.

“you don’t approve? well too bad, we’re in this for the species boys and girls. it’s simple numbers, they have more and every day i have to make decisions that send hundreds of people, like you, to their deaths.” — carl jenkins, starship trooper, the movie.
i don’t think the second part of the quote is quite right (to say the least), but i felt bad leaving it out, it’s heinlein (even if not original) after all… anyone who claims he is a fascist though will have to deal with me. :)
this isn’t only about users, it’s about the bad guys and how they out-number us, too. they have far better cooperation to boot.

there are several such products around and they have been discussed before, but i haven’t tried them myself as of yet, so i can’t really recommend any of them. can you?

i’ll update on these as i find out more here on the blogs: http://blogs.securiteam.com/

this write-up can be found here: http://blogs.securiteam.com/index.php/archives/312

gadi evron,


PHP as a secure language? PHP worms?

like i just wrote to bugtraq on this subject (it’s being discussed there now), indeed, the most annoying thing about the php worms today is that these php vulnerabilities being exploited are everywhere.

as i already mentioned, this recent linux worm has more to it, but that’s in another post.

these vulnerabilities being exploited are very difficult to protect from because:
1. php is the “serious” or at least open-source/linux/security freak’s choice for web development. mine as well (although as many still say, perl does a better job).

2. developing secure applications in php is difficult, as one of php’s creators said recently – even to him after years of trying.

3. staying on top of new php vulnerabilities has become almost impossible, popping around everywhere.

4. determining how secure a php application is, looking at the code and for how silly past vulnerabilities were (i.e. looking at the coder rather than the code) is now more important than the actual application.

much like their self criticism said, php needs to grow to a far more secure language, much like we need to chose more carefully what php software we use.

some of us have been joking for a while about creating a script to choose from different paragraph we create, and email bugtraq re-assembling the randomly with a new php bug and a random php application name every few hours. would any of us be able to readily tell the difference?

from all the fish we can barely see the water. :(

as to the worms, been going on longer than 2 mounths like the person i was replying to mentioned, but he is correct.

one note i’d like to make, is that even if the second (interesting) payload in the linux worm wasn’t there, just because someone utilizes old malware in the creation of new malware doesn’t mean it is new, or 99.9% of any “virus” ever written would be old.

does bagle.**** ring a bell with anyone? :)

if any of you are interested in sharing web server logs and be notified of new php problems we all notice online, drop me a note.

gadi evron,


PHP worms – all the buzz yet nobody really writes about it

like i just wrote to bugtraq, indeed, it has become an annoying trend everybody talks about but almost nobody writes about. trojan horses, worms, etc. exploiting php bugs. either vulnerabilities in known applications such as wordpress, phpbb, drupal, etc. or actually trying different permutations to attack the site.

many of these are in fact based on the old kaiten code. as someone mentioned previously in that thread or another, it can even be found on packet storm.

still, this latest one has a kick in the second payload with a worm that also attacks other systems and i can say is not just yet another php worm, but actually what i’d call linux malware.

anyone else seeing their web server logs going crazy with new patterns every day? email me, i am starting a sharing system where these can be shared mutually so we can better protect ourselves, create signatures, etc.

gadi evron,


Inqtana.A – The OS X Bluetooth Worm

Times are getting interesting for OS X users out there, first we have news of Leap.A, the OS X virus that’s currently doing the rounds, and now we have Inqtana.A, an OS X bluetooth proof-of-concept worm for OS X 10.4 (Tiger).

Inqtana.A has not yet been been seen in the wild, but it is recommended that you install the latest security patches from Apple just to make sure that you’re covered in case this turns into more than just a proof-of-concept. Inqtana.A uses Bluetooth library and this expires on the 24th February, so it is unlikely that this will be seen in the wild in it’s current form, but the PoC is there now, and this leaves opening’s for someone to make use of it.

The CVE number for this worm is CVE-2005-1333
Inqtana.A arrives to victims systems as an OBEX Push request, and the user will be prompted to accept the data transfer. If the user accepts the data transfer Inqtana.A will then use a directory traversal exploit to copy it’s files that so it starts up automatically upon the next reboot. Once the system has been rebooted and Inqtana.A has been activated it will then look for any devices that accept OBEX Push requests and try to copy itself to those devices in the same manner.

Inqtana.A tries to copy 3 files via bluetooth to replicate, the files are:
w0rm-support.tgz – The worm components
com.openbundle.plist – Needed for automatic startup after reboot
om.pwned.plist – Needed for automatic startup after reboot

To remove the worm from your system:
- Apply the latest security patches from Apple
- Remove the following files from your system:
– /Users/w0rm-support.tgz
– /Users/InqTest.class
– /Users/com.openbundle.plist
– /Users/com.pwned.plist
– /Users/libavetanaBT.jnilib
– /Users/javax
– /Users/de
– /Users/[user name]/Library/LaunchAgents/com.pwned.plist
-/Users/[user name]/Library/LaunchAgents/com.openbundle.plist

Thanks once again to the guys at F-Secure for all the info on this one.
It really seems like things are hotting up on the OS X front these days, which could be a good thing, as Apple has always been someone quiet on security patches and exactly what they fix, maybe this will cause them to give a bit more disclosure on the subject. OS X has a reputation for being secure, and it’s one of Apple’s marketing messages, so to keep that Apple are really going to have a lot of work to do on the security front if things start kicking off.


Laundry IV

In the last account I composed for you, Theophilus, I told of all that the Slades began to say and to do in regard to a new washing machine.

Now, this was a modern washing machine, surpassing all that had come before in energy efficiency. And lo, it came to pass that Rob went unto a physician, who was an allergist, and the allergist gazed upon the subcutaneous dust test and spake, and said that lo, he had never seen such a strong reaction, no, not even all the days of his practice.

(And lo, many people have this allergy, and know not that it is not dust, per se, that they are allergic to. For the mites of the dust swarm and multiply, and cannot be seen with the naked eye. But it is not even the mites of the dust that people are allergic to, but it is the dust mite poo which causes itching, and red eyes, and runny noses. And this fact is ick-making.)

And he gave unto Rob (and also unto Gloria) the scriptures of the Allergy and Asthma Teaching Unit, and also of Allergy Control Products Incorporated. And these scriptures, and the scriptures found on the Web of the Wide World, spake many things, but the one thing upon which all were agreed was that the most effective means of dealing with dust mites and dust mite poo was to wash your bedsheets regularly in water that is, at minimum, 130 degrees F.

And the Slades went to the new washing machine, and ran a “hot” wash, and did measure that wash, and the temperature of it was 80 degrees. And the Slades then noticed that the “hot” cycle was within the range of the “Automatic Temperature Control,” and Rob bethought him that the Machines are getting Too (*&^(*&^ Much Power These Days.

And the Slades did search through the washing machine manual, and couldn’t find any specifications, and called again unto Sears, and left a message for the Excellent Sales Representative, and she returned not the message, and called again and spoke with another Sales Representative who was not so Excellent who said to call the service number, and called twice unto the service number and spoke to two different Service Representatives (though we know not whether they were Excellent or not) and they said they did not know and that we would have to call the store.

(And Rob thought of more Very Bad Words describing Sears and all its Representatives.)

(And later, reading again in the manual, we found that the “hot” cycle was *supposed* to be set to 105 degrees, so the machine wasn’t working properly, but wouldn’t have been high enough in any case.)

So we went back to Sears and looked at their machines again, and found that had ATC that controlled some but not all of the cycles, and paid the difference between the machines and another delivery charge, and had someone else who knew about washing machines come and install it. And watched it very carefully through the first few washings, and have been testing the water temperature and cranking up the thermostat on the hot water tank to try and get it to the magic 130 degree temperature.

And this morning, when we came downstairs, there was water under the machine, which hadn’t been there when we went to bed some hours after the last load was finished yesterday. And we looked in the cupboard beside the washer, where the feed hoses are connected, and the bottom cupboard was full of water. And there was a puddle on the top shelf, too. And drips coming from the faucet.

And in that moment, Rob became enlightened.

And he is now the Bodhisattva of Bleach, and is only still here on this temporal plane to show the rest of you the path to Immersion Illumination. The laundry nature you can perceive is not the true laundry nature. All human suffering comes about as a result of the futile attempt to achieve the Martha Stewart nature by your own efforts. Clean laundry and dirt are, alike, temporal and transitory: they are illusion. You must accept the interconnectedness of Filth and Fine Lingerie. You must purge yourself from fixation on freshness. This is the dharma of decorum: the karma of clean.


The New Face of Phishing (new phishing trends)

taken from ip with comments inline:

> the new face of phishing
> by brian krebs | february 13, 2006
> now here’s where it gets really interesting. the phishing site, which
> is still up at the time of this writing, is protected by a secure
> sockets layer (ssl) encryption certificate issued by a division of
> the credit reporting bureau equifax that is now part of a company
> called geotrust. ssl is a technology designed to ensure that
> sensitive information transmitted online cannot be read by a
> third-party who may have access to the data stream while it is being
> transmitted. all legitimate banking sites use them, but it’s pretty
> rare to see them on fraudulent sites.
> …
> http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html

brian is one of the more serious security-working reporters out there, i
always enjoy what he writes.

unrelated to brian…
still, this may be newly utilized these days, but it isn’t new. this was
even reported on techtv 2 years ago or so.

some new disturbing phishing trends from the past year:

post information in the mail message
that means that the user fills his or her data in the html email message
itself, which then sends the information to a legit-looking site.

the problem with that, is how do you convince an isp that a real
(compromised) site is indeed a phishing site, if there is no
phishy-looking page there, but rather a script hiding somewhere?

trojan horses
this is an increasing problem. people get infected with these bots,
zombies or whatever else you’d like to call them and then start sending
out the phishing spam, while alternating the ip address of the phishing
server, which brings us to…

fast flux is a term coined in the anti spam world to describe such
trojan horses’ activity.

the dns rr leading to the phishing server keeps changing, with a new ip
address (or 10) every 10 minutes to a day.

trying to keep up and eliminate these sites before they move again is
frustrating and problematic, making the bottle-neck the dns rr which
needs to be nuked.


there are others, but as always – don’t rely on the written press for
your updated security information.

a few weeks ago dr. alan solomon (drsolly) wrote on the funsec list,
responding to someone saying he is shocked how inaccurate media reports
can be about his region in the world.

alan said something the sort of: “what? being in the security world and
seeing how security information gets mis-represented in the papers all
these years didn’t give you a hint? you honestly thought that it was
limited to your field?”

(not what he said, can’t find the exact quote right now, but i loved it.
his was a lot shorter. gotta love that guy).


gadi evron,


More info on the new Linux worm

the first part of worm is yet another php worm (with drupal, wordpress, etc. attacked).
more information on older versions here:

there is another shell script called gicumz there:

cd /tmp
chmod +x session
cd /tmp
chmod +x derfiq

the worm itself that runs on the linux system though, is something new as far as we can tell.

gadi evron,


New Linux malware part of a botnet C&C

it has just been confirmed the new linux malware is being controlled by a botnet c&c (command & control) server.

efforts are being made to take care of that server and notify the relevant isp’s.

gadi evron,


New Linux malware

[there are several updates on this subject on the main blogs site]

today, we received a notification about a new linux malware itw (in the wild).

chas tomlin provided shadowserver and nicholas alright who notified the relevant operational communities, with the information on the binaries. he captured them with squil.

chas is working with shadowserver to identify better ways to trackdown/takedown botnets.

the credit should go to him and shadowserver.

shadowserver has been a responsible and essential part of recent internet security activities.

as anti virus vendors have been notified and will soon do a write-up on it, i see no reason not to publicize it here.

c2576aeff0fd9267b6cc3a7e1089e05d ~/samples/derfiq
e9a2b13fe02d013cc5e11ee586d11c38 ~/samples/session

we are not quite sure as of yet exactly what this does, it can be a linux virus, a linux trojan horse, a linux worm… we are not even sure if the checksums above are useful at all. we hope to know more soon and we will update as we do.

there are some interesting strings to be noted:

notice %s :tsunami     = special packeter that wont be blocked by most firewalls
notice %s :pan         = an advanced syn flooder that will kill most network drivers
notice %s :udp         = a udp flooder
notice %s :unknown     = another non-spoof udp flooder
notice %s :nick        = changes the nick of the client
notice %s :server      = changes servers
notice %s :getspoofs   = gets the current spoofing
notice %s :spoofs      = changes spoofing to a subnet
notice %s :disable     = disables all packeting from this client
notice %s :enable      = enables all packeting from this client
notice %s :kill        = kills the client
notice %s :get         = downloads a file off the web and saves it onto the hd
notice %s :version     = requests version of client
notice %s :killall     = kills all current packeting
notice %s :help        = displays this
notice %s :irc         = sends this command to the server
notice %s :sh          = executes a command

‘session’, current detection:
antivir            found bds/katien.r
avast                 4.6.695.0/20060216       found nothing
avg                   718/20060217             found nothing
avira              found bds/katien.r
bitdefender           7.2/20060218             found nothing
cat-quickheal         8.00/20060216            found nothing
clamav                devel-20060126/20060217  found nothing
drweb                 4.33/20060218            found nothing
etrust-inoculateit    23.71.80/20060218        found nothing
etrust-vet            12.4.2086/20060217       found nothing
ewido                 3.5/20060218             found nothing
fortinet            found nothing
f-prot                3.16c/20060217           found nothing
ikarus              found backdoor.linux.keitan.c
kaspersky           found backdoor.linux.keitan.c
mcafee                4700/20060217            found linux/ddos-kaiten
nod32v2               1.1413/20060217          found nothing
norman                5.70.10/20060217         found nothing
panda                found nothing
sophos                4.02.0/20060218          found nothing
symantec              8.0/20060218             found backdoor.kaitex
thehacker          found nothing
una                   1.83/20060216            found nothing
vba32                 3.10.5/20060217          found nothing

‘derfiq’ current detection:
antivir            found worm/linux.lupper.b
avast                 4.6.695.0/20060216       found nothing
avg                   718/20060217             found nothing
avira              found worm/linux.lupper.b
bitdefender           7.2/20060218             found nothing
cat-quickheal         8.00/20060216            found nothing
clamav                devel-20060126/20060217  found nothing
drweb                 4.33/20060218            found nothing
etrust-inoculateit    23.71.80/20060218        found nothing
etrust-vet            12.4.2086/20060217       found nothing
ewido                 3.5/20060218             found nothing
fortinet            found nothing
f-prot                3.16c/20060217           found nothing
ikarus              found net-worm.linux.lupper.b
kaspersky           found nothing
mcafee                4700/20060217            found nothing
nod32v2               1.1413/20060217          found nothing
norman                5.70.10/20060217         found nothing
panda                found nothing
sophos                4.02.0/20060218          found nothing
symantec              8.0/20060218             found hacktool
thehacker          found nothing
una                   1.83/20060216            found nothing
vba32                 3.10.5/20060217          found nothing

this write-up can be found here:

we will notify as we get new updates here:

gadi evron,


Linux kernel remote DoS, 20 mailing lists to read, best security training and insecure appliances

the sans isc reported on this:

two things i’d like to discuss are:
1. how many mailing lists do we have to read?

2. how real security training is done.


3. how this linux kernel vulnerability affects you where you may not even realize it.

on the first point – plenty. if you want to be in the security industry, read your favorite blog(s) or stay on 50 mailing lists reading a bunch of cesspool cr*p every day. that’s how it is.

that’s how real training in the security industry is done today. show me an alternative to the wide-range of knowledge, developing security-minded thinking and the right paranoia backed up by wisdom and tech-savvy? as well as knowing the b/s from what’s real.

as to this linux kernel vulnerability… how many of us heard about it? mailing lists are not perfect. however, most of those who would update their machines by now, already did.

what about the machines you can’t update and/or don’t know about?

how many third-party appliances such as application firewalls, i[dp]s systems and other such cr*p do you have on your network or worse – before it, ready to be exploited?

how many of these appliances run linux? how many of them run windows?
how many of them are secure enough to even have basic ports closed?

port scan them and find out.

when was the last time you received a vendor update for the machine itself?

i’d start worrying if i were you. not everything is a dos, and a dos from the entry to your network by one of your own machines is kind of bad, although solvable once you realize what causes it.

gadi evron,


Windows Media Exploit: Lesson Learned Yet?

we’ve been hearing a lot about software distributors downplaying vulnerabilities in their code. it seems like a familiar tune. sunshine’s post hits on it. i talked about it two weeks ago after mozilla managed to (yet again) severely downplay some trivially-exploitable vulnerabilities fixed by recent patches. judging from this week’s windows media player fiasco, the lesson hasn’t been learned.

accurate assessment is important for two reasons:

1) adequate coverage

if those responsible for deploying fixes are led to believe that vulnerabilities are of less risk than is actually present, this means that systems that need to be protected, aren’t.

exhibit one: the microsoft internet explorer dom race condition vulnerability. microsoft was informed of the potential issue more than six months before it was proven to be exploitable. because of a bad risk assessment on microsoft’s part, most of its user base was tactically naked when code appeared demonstrating the exploitability of the issue.

2) prioritization

if issues that aren’t of severe risk are rated as such, the risk assessment system being used implictly has less merit. over-hyping can force affected customers to look for other sources of information about risk (which may not always be coherent) or to do costly risk assessment of their own before deploying fixes to evaluate potential damage to compatibility in the face of a security issue of uncertain risk. of course, that also increases the possibility that the customer will make the wrong choice.

accurate risk assessment (particularly from vendors) clearly is of importance to creating conditions that lead to a secure user base. it should be obvious, then, why researchers as a community (as a result of a predisposition toward that goal) are generally willing to take extreme measures to ensure that an accurate risk assessment is achieved. the rest of this post is an example of what not to do if you get an assessment wrong.

during an exchange with microsoft’s security response center about the recent windows media plug-in vulnerability (ms06-006), i was very sharply critical (no pun intended) of the weak ‘important’ rating given to this vulnerability. i pointed out several facts:

* firefox installs windows media support implicitly
* windows media is installed on almost all windows pcs
* the vulnerability could be triggered simply by viewing a web page in an alternate browser with the plug-in enabled
* a vulnerability with a very similar trigger that was exploitable from ie was rated ‘critical’

the answer i received was that were a scenario developed where a component that was “installed by default” could be exploited without anything more than a click for interaction, the vulnerability would probably be upgraded to a critical severity. the only sense in which the vulnerable code is not a “default install” is the fact that alternative browsers aren’t present on most fresh installs of windows. nor are office, frontpage, iis, or any other of a myriad of components… and that doesn’t preclude vulnerabilities in them from receiving ‘critical’ ratings.

i pointed to the above and offered some clarification. essentially, i see no reason this vulnerability shouldn’t be rated ‘critical’. i’m then told that, had the msrc believed it possible, such a scenario would clearly justify a ‘critical’ rating.

so… the exploit in front of me is impossible?

that was the last straw. i had a few details to work out, still. my exploit hadn’t really been fine-tuned and so was a bit unstable in the “real world” environment. msrc, however, had just given me the impetus to make it stable. in my effort to bring about a bit of sanity in the impact assessment, i released proof-of-concept code that demonstrated exactly how easy it is to exploit an alternative browser on a system without ms06-006 applied.

oddly enough, microsoft has left its rating alone. and not for good reason. now, we have two exploits available and users are still being kept in the dark about how serious this vulnerability really is. this issue is a critical risk and has been from day one. microsoft should demonstrate to its user base that it understands this and give the vulnerability the rating it deserves. at least, if users must be exposed to threat, they should have accurate information about what that threat really is. not using your company’s browser is not a reason to be kept in the dark.


Exploit: Head-2-head – H D Moore and Matthew Murphy (MS06-006)

apparently, both h d moore and our very own matthew murphy worked all night to write working exploit code for ms06-006.

head to head they coded, and we honestly can’t tell who wrote the first working code!

h d moore’s code can be found here.
matthew murphy’s code can be found here.

both guys are amazing and h d moore as always know more than most of us put together. we think that matthew’s code however is universal and he is the first who hit the lists with full code.

his code should work on nt/2000/xp/2003, pretty much anything and everything windows media that is vulnerable.

that was not even 2 days for a not (that) trivial to exploit vulnerability. lucky for us there are responsible researchers such as these to help us in the security world do our job, as those on the dark path have their own resources while we deal with legal b/s from people who jdgi. just don’t get it.

sunshine asked us to update that both these cool guys mentioned they used techniques by skylined. thanks skylined!

(got anything to tell ren&stimpy? email us: rennstimpy@securiteam.com)


Cell phone operator sent 7000-large Government account information with unprotected e-mail

According to The Finnish Ministry of the Interior, the risk of a leak of confidential information appeared because of one unprotected e-mail message. The cell phone operator TeliaSonera sent detailed information on thousands of the ministry’s employees using the company’s mail servers located outside of Finland.

Naturally, there is quite a bit of confidential information (names, phone numbers, positions) when discussing employees working for institutions controlled by the ministry.

The whole case started on Tuesday, when the ministry released information about an unspecified security risk related to thousands of cell phone accounts, including the “violence unit” of the police force and the National Bureau of Investigation. At the same time they informed that personnel was been advised not to discuss confidential subjects on their cell phones.
Mrs. Ritva Viljanen, Chief Secretary of the Ministry of the Interior (i.e. Permanent Secretary), informed about connections to TeliaSonera, which is responsible for a significant number of ministry cell phone accounts. According to Mrs. Viljanen there was a risk of eavesdropping related to this unspecified security problem.

The situation changed rapidly when an official press release from TeliaSonera Finland disclosed details about an e-mail sent in January.
The well known operator TeliaSonera disclosed this information regarding missing security and privacy practices immediately, when sending this information related to an ongoing operator process switching.
Additionally, the company says there was no confidential information included in the message at all. “There was far too much information, and it was sent to too many people”, says Viljanen. See Helsingin Sanomat article reference for details about different views on this subject.

According to new comments from Mr. Erka Koivunen, the chief of the local CERT-FI Team, it is possible that such disclosure of information can aide the more traditional eavesdropping methods if used to by criminals. Additionally, local IT community has theoretical discussion about fake base stations, recent Bluetooth vulnerabilities, cloning of SIM cards etc. All of these links available are Finnish-language, however.
Home address and other details can enable physical eavesdropping on another participant, said the local online news today. According to Mrs. Viljanen, 15 separate records per account were included in the e-mail attachment mentioned. A different telecommunications service provider Elisa won the competition for mobile telephone connections.

In fact, Mr. Koivunen “dropped a bomb” with his additional information. During a whole week both IT news and non-IT news have been wondering what are the possible connections to the eavesdropping fiasco. How is it possible to listen to GSM phones with help of account information? The answer is: it is not possible.

In Finland You can forbid the disclosure of your personal information by the population registration system for purposes such as direct marketing, genealogical research, etc. The most effective level in use is ‘Non-disclosure for personal safety reasons’. See this page for details. Policemen are the biggest group using this right. No need to say that these officials normally want to hide their cell phone numbers as well.

The CERT chief also said the fact that even pieces of confidential information can help people using surveillance techniques. I completely agree.

This case emphasizes the importance of standing guidelines and processes when sending classified Government information with ties and co-operation in an international company.

One of the original news items was published in the biggest local newspaper “Helsingin Sanomat”.


Looking behind the smoke screen of the Internet: DNS recursive attacks, spamvertised domains, phishing, botnet C&C’s, International Infrastructure and you

this text is meant for two (main) purposes:
1. updating the community about recent threats.
2. showing the community some suggestions of what can be done.

in the recent weeks many people (including on different public ops communities such as nanog) have noticed ddos attacks going on, which appear to be abusing recursive dns servers.

a couple of documents on the subject:

the attacks generally seem the same as always. nothing new here. why the big buzz than? (so far these have been kept “quiet” on several communities even if it is in plain sight and people speak of it openly).

the buzz may be about the packet size/resulting fragmentation this time around, actual attacks seen in the wild on a wide scale, etc. regardless, nothing new. recursive is bad. don’t do it. :)

[update: do it, but do it right]

for those of us too busy to read the documents linked to above, imagine an icmp echo attack from spoofed sources that get back the replies, only in dns… this is not very technically correct but it will do.

ignoring the ddos for a second, in the last year, completely unrelated, in the anti virus world we see (and don’t really connect the dots) more and more trojan horses (i.e. bots) which use fast-changing-ip-addresses hosts/domains. changing ip addresses or even name servers very often. these are now called “fast-flux” domains.

not connecting the dots as in the samples one sees the dns rr’s, not that they keep changing.

fast-flux is actually a term which was coined in the anti spam fighters world, completely unrelated to the anti virus world. as these hosts are used to spamvertise from, or these name servers are used to host such bad domains, this is obviously something bad (although some fast-flux issues are legit, most aren’t).

some of these domains, following certain patterns, are used in trojan horses (maybe we should call them zombies this time) to coordinate. i.e. the c&c (command and control, also known as c2) servers where the different trojans (bots) bots are controlled from.

these patterns, such as those used by the (now old) bobax trojan (worm!) often utilize a domain pattern which needs to be ascertained if one wants to control these c&c’s as it changed with, for example, the time-stamp. (old irc trick from the girlbots trojan horses, with differentiating channel names)

these can be 3ld’s or actual domains, i.e.:


the samples would connect to these based on the algorithm, while these will be registered by the bad guys.

in the recent attacks the specific name servers which are vulnerable are used while the domains are being spamvertised and then switched back to a different ns.

this may indeed be the dns activity seen, or it may be unrelated. i don’t believe in coincidences though.

the ddos (which may be a direct or unrelated result of spamvertising or botnet control over dns) may be a smoke screen for what’s really going on, or it may be what it seems, just ddos. as the bot controllers do both spam and ddos, i see no reason why they wouldn’t use this technology for both purposes (or other purposes yet to be seen).

they (the bad guys) may have even just noticed it in the wild, used by other bad guys or they shared the techniques (they have quite a lot of cooperation going). while the good guys weren’t sharing information/cooperating and thus not noticing it happening for a long time now.
if they (the good guys) do notice “it”, for example, the ddos, then they don’t notice the connection between different industries and fields.

-opinion- thinking a vulnerability or error will not be exploited/mistakenly triggered at some point in time just because it is left alone for a while is insane. even if as the saying go, we won’t attribute malicious intend to what is likely stupidity – any mistake which can happen, will happen. major parts of the us power grid going down every few years proved that much.-/opinion-

fast-flux hosts have also been used in phishing for over a year now (before that they were indeed in the wild, but mostly in proof of concept attempts).

phishing in its original form of receiving a mail message and going to a site is going to be with us 10 years from now (much like 419′s are still with us today), but it is slowly decreasing in volume for some time now.

phishing in general however, is in fact increasing with millions on millions of usd lost every month. quite a bit of roi for the russian mob and friends from brazil, eastern europe, nigeria, other hot-spots and the rest of the world, don’t you think?

the bad guys utilize trojan horses (sorry, bots) more and more now for this activity, rather than the old bulk emailing techniques (even using … zombies).

the trojan horse (sorry, worm) would connect to the dns rr, which will change ip addresses and/or name servers quite often, and thus while thousands, hundreds of thousands and all the way to millions of trojan horses (zombies!!!) send out phishing emails, the actual sites moves constantly (between every 10 minutes to once a day). this makes reporting these sites and taking them off the air increasingly difficult.

that is also why anti virus companies become critical to the fight to keep the internet alive, as while network operators can follow network traffic, the anti virus researchers and reverse engineers actually see what the trojan horse does and how.

dynamic dns providers (most of whom are good.. amazing people) have seen this done with 3ld’s as botnet c&c servers for a few years now. use of cryptographically strong domain names (with whatever algorithm used) is newer, but not that new.

what am i trying to say here?

all these activities are related, and therefore better coordination needs to be done much like we do on the da and mwp groups, cross-industry and open-minded. r&d to back up operations is critical, as what’s good for today may be harmful tomorrow (killing c&c’s as an example).

the industry needs to get off its high tree and see the light. there are good people who never heard about bgp but eat trojans (sounds bad) for breakfast, and others need to see that just because some don’t know how to read binary code doesn’t mean they are not amazingly skilled and clued with how the network runs.

this is not my research alone. i can only take credit for seeing the macro image and helping to connect the dots, as well as facilitate cooperation across our industry. still, as much as many of this needs to remain quiet and done in secret-hand-shake clubs, a lot of this needs to get public and get public attention.

over-compartmentalizing and over-secrecy hurts us too, not just the us military. if we deal in secret only with what needs to be dealt in secret, people may actually keep that secret better, and more resources can be applied to deal with it.
some things are handled better when they are public, as obviously the bad guys already know about them and share them quite regularly. “like candy” when it comes to malware samples, as an example.

some solutions to think about:
- help facilitate better cooperation.
- help facilitate better coordination.
- join a mitigation group, do something.
- join a research group, find solutions that won’t just kill the current – problem and make it far worse 2 years down the road (terrorism, spam, botnets, phishing).
- work with others outside your club, you may learn something.
- stop ignoring problems until they become yesterday’s problems.

some intermediate solutions:
- run a clean computer. secure your machine.
- run a clean service provider, secure your network and answer abuse reports.
- cooperate and share information.
- cooperate with law enforcement, as economics such as the roi the bad guys see can only be beaten with changing the cost-benefit/risk-gain equation.

some immediate solutions:
- block outgoing port 25 on dynamic ranges if it is right for your organization (“don’t be the internet’s firewall”).
- make sure your dns servers don’t allow recursive requests.

i recently shared with paul vixie an idea for a structure of an operational group for dns. paul vixie and the dns folks are taking care of their end with the dns infrastructure where they can.
dns in general (not the infrastructure) has been neglected for a long time.

are you taking care of your issues? are you as responsible as these guys?

a lot more can be done, a lot more can be suggested. there are many examples of people doing amazing work. nsp-sec, da, mwp and many others.

these ideas should get us started on the next level of taking care of business.

want to be involved? get involved. see a threat? share it. think i am wrong? bring up your own idea and follow through, don’t just criticize others or try and stop them because you’ve grown warm and cozy in your spot in this world or for whatever other reason or jealousies you may have, as eventually they will circumvent you and work without you.

-opinion-one example for this is the anti virus industry and their naming conventions (hopefully to change with cme from mitre). another is the us government thinking they can control the internet and china showing them that if they won’t let them in, they will create their own systems. that’s just a hint of things to come, with alternate roots as just one side of the problem.

the internet is an “international infrastructure” and these power struggles are self-defeating.-/opinion-

feel free to ping me if you’d like to know what information sharing effort is going on in your area as well as involving your area with others (an effort which will actually allow you to join and help), as the fault is not only yours but also ours.

-opinion-our fault, us, the people who run these communities and global efforts, for being over-secretive on issues that should be public and thus also neglecting the issues that should really remain under some sort of secrecy, plus preventing you from defending yourself.

us, for being snobbish dolts and us, for thinking we invented the wheel, not to mention that we know everything or some of us who try to keep their spots of power and/or status by keeping new blood out (av industry especially, the net-ops community is not alone in the sin of hubris).

it’s time to wake up. the internet is not about to die tomorrow and there is a lot of good effort from a lot of good people going around. amazing even, but it is time to wake up and move, as we are losing the battle and the eventual war.

cyber-crime is real crime, only using the net. cyber-terrorism will be here one day. if we can’t handle what we have on our plate today or worse, think we are ok, how will we handle it when it is here?

there is a lot yet to be said, a lot which is not 100% accurate and a lot that needs to be done as well as already being done. it’s not enough and it can’t all be covered in one write-up.

this text can be found here:

future updates can be found here:

thank you.

gadi evron,


Leap.A, The OS X Virus

I’ve been following the news on this one since it started on macrumors.com, and now F-Secure have classed this one as a virus. The file in question is named “latestpics.tgz”, and when it was initially posted is was advertised as being pictures of the upcoming “Mac OS X Leopard”, also known as “OS X 10.5″.

You can’t simply just get infected with this virus, there are certain things that you have to do for this to infect your Mac. Which is still a worry as a lot of people will be really interested in seeing the pictures of the new OS X, and will undoubtedly go through the following steps needed to infect you beloved Mac. If you somehow come across this file which either got sent to you via e-mail, ichat or you found somewhere to download it. DO NOT, perform these steps, otherwise you will become infected!

- Double-click on the file to decompress it
- Double-click on the resulting file to “open” it

If you are running as a non-admin user even if you do go the steps above, it will still infect some files, not as badly though as if you are running as an admin user OS X, as this needs to have admin rights to be able to infect certain files.

This is a brilliant attempt at social engineering more than anything, as the virus is not capable of self propagating at all, it relies solely on users actually going through the steps mentioned above. Another important note is that there is a bug in the code that prevents this virus from working as it was properly intended to do, which is good for anyone running OS X, but bad in the sense that it will stop certain applications from launching once you are infected. This virus does not exploit any security holes in OS X at all, as I mentioned above it purely relies on the user trying to see what’s in the compressed file.

A brief rundown on the contents of the file:

Once the file has been unzipped, tar will let you know that there are 2 files contained within, namely:

The .latestpics file is actually the resource fork of the file, which has had it’s icon changed to reflect it as a jpeg file, therefore fooling users in to trying to open this file. The following from Andrew Welch gives a really decent breakdown on what exactly the virus does:

“1) It copies itself to /tmp as “latestpics”
2) It recreates its resource fork in /tmp (with the custom icon in it) from an internally stored gzip’d copy, then sets custom icon bit for the new file in /tmp
3) It then tar + gzips itself so a pristine copy of itself in .tgz format is left in /tmp
4) It renames itself from “latestpics.tar.gz” to “latestpics.tgz” then deletes the copied “latestpics” executable from /tmp

–This gives it a pristine copy of itself, for later transmission.–

5) It extracts an Input Manager called “apphook.bundle” that is embedded in the macho executable, and copies it to /tmp
6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
6b) If your uid != 0 (you’re not root), it creates ~/Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
7) When any application is launched, MacOS X loads the newly installed “apphook” Input Manager automatically into its address space

–This allows it to have the code in the “apphook.bundle” injected into any subsequently launched application via the InputManager mechanism–

8a) When an application is subsequently launched, the “apphook.bundle” Input Manager then appears to try to send the pristine “latestpics.tgz” file in /tmp to people on your buddy list via iChat (who will then presumably download the file, double-click on it, and the cycle repeats).

8b) (It looks like the author intended to get it to send the “latestpics.tgz” file out via eMail as well, but never got around to writing that code)

–This lets it send itself to people on your buddy list via iChat; this appears to be the only way it self-propagates externally–

9) It then uses Spotlight to find the 4 most recently used applications on your machine that are not owned by root
10) In an apparent “Charlie and the Chocolate Factory” reference, it then checks to see if the xattr ‘oompa’ of the application executable is > 0… if so, it bails out, to prevent it from re-infecting an already infected application
11) If not, it sets the xattr ‘oompa’ of the application executable to be ‘loompa’ (this does nothing, it is just a marker that it has infected this app)
12) It then copies the application executable to its own resource fork, and replaces the application executable with the OSX/Oomp-A trojan

nb: If run via double-clicking on the file, and the user doesn’t have privileges to modify an application, it silently fails. If run via the command line, it will ask for the admin password if it encounters an application for which it doesn’t have privileges to modify.

–It has thus effectively injected its code in the host application–

13) When an infected application is launched from then on, the trojan code is executed, and it tries to re-infect and re-propagate itself to other applications
14) It then does an execv on the resource fork of the executable, which is the original application, so the application launches as it normally would (in theory… see below)
15) Due to a bug in it’s code for executing the original app from it’s resource fork, it is only allocating a buffer 4 bytes bigger than the path when appending “/..namedfork/rsrc” to the path, it will stop any app it infects from running. Instead of adding the length of the string, it errantly adds the length of the pointer to the string, which is always 4 bytes.

In the end, it doesn’t appear to actually do anything other than try to propagate itself via iChat, and unintentionally prevent infected applications from running.”

is a disassembly of the executable if you’re interested, this is only the main executable portion of the code, not the embedded “apphook” InputManager code.

  • Share

    Comment spam and Xanga: create blogs to spam to?

    yesterday on a blog i help maintain, we came across a spam post that traversed our filtering:

    name: lin | e-mail: lindy_rucker@hotmail.com | uri: http://www.xanga.com/lindy_15 | ip:

    hey hoe alot of my friends get hit on all the time
    ^^^ “hit on” is a bit of a give away, but this post was about getting infected with something so it is not clear-cut.

    going to that page (at xanga, warning sign), it seems like yet another page created by a kid, and that this is real.

    the message may or may not be real, i am just not sure how a 15 year old girl who can only write about her boyfriend in a repeated one-liner gets on a low-level security site.. and comments? why would she even care?

    is this site maybe auto-generated to help get by the spam filters? some other ideas?
    anything malicious there anyone notices?
    is this… legit?!

    not me nor my friends can find anything malicious there. further, looking at her blog and some other sites we can relate to her, she seems to have been around for a while. that’s a plus point for legit.

    i’ll let you decide if that site has anything malicious on it, but no. this is spam, and the web page (blog) is auto-created (or manually) to give it credibility.
    the two most likely scenarios are that this is either a proof of concept to use blog systems as infection seeding grounds, or to train filters to let spam through. at least these would be my best 2 educated guesses.

    another educated yet paranoid guess is that someone is pinging us (casing the store for a sting), seeing how sensitive our sensors and filtering systems are.

    there is an option i’d call careful; can this be more than just a well orchestrated ping, but rather that the site was created for that specific purpose that long ago (2004)? [hat tip to spam huntress]

    i can always be wrong and this is real or a joe job, but for some reason i doubt it. even if the site is real the post is not.
    blogs are quick&dirty sites to create and easily fill with content. this is a bit scary.

    feel free to enlighten me… i’d love more opinions as this is all just, indeed, only my opinion, especially if yours proves mine wrong! :)

    my most recent previous posts on the subject:
    blog attacks
    comment spam: new trends, failing counter-measures and why it’s a big deal
    comment spam: drive-by sites, domains and spyware – analysis, samples and facts

    matthew murphy’s post on xanga:
    xanga worm

    gadi evron,