Only two days after the public release of Windows Animated Cursors Handling 0-day Vulnerability there is a ANI worm in the wild.

More details is available via ISC Diary here pointing to C.I.S.R.T. report.

The upcoming week will start with restrictions in Web surfing if companies have a good security policy.

I checked with Sid why he hasn’t been answering my emails and learned that his ISP beThere disconnected him after he warned them about a trivial-to-exploit backdoor on all their customers’ routers.
The disturbing thing about this incident is that beThere were very quick to contact us asking that we take down (or modify) the article, and apparently they were fairly quick in disconnecting Sid, but when it comes to their customers’ security they are not as diligent - the problem is obviously still there.

I thought Sid was too nice when he removed the exploit details from his post (the ‘bad’ guys can get those themselves anyway) and I think I was very correct there. On the other hand I gave beThere a compliment about how fast they reacted to this incident and I was very wrong there - it seems their concerned was solely about the bad PR.

Let me change my previous comment to this: If I were a beThere customer I’d be concerned about the fact there’s a gaping backdoor on my router and all my ISP is doing is to threaten and disconnect a CS student for making this fact public.

There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.

This incident is currenly being handled by several operational groups.

This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse.

While we argue about this or that TLD, there are operational issues of the highest importance that are not being addressed.

The following is my original email message, elaborating on these above statements. Please note this was indeed just an email message, sent among friends.

Date: Fri, 16 Feb 2007 02:32:46 -0600 (CST)
From: Gadi Evron
To: reg-ops@…
Subject: [reg-ops] Internet security and domain names

Hi all, this is a tiny bit long. Please have patience, this is important.

On this list (which we maintain as low-traffic) you guys (the
registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call “The Internet Security Operations Community”.

We face problems today though, that you can not help us solve under the current setting. But only you can help us coming up with new ideas.

Day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can’t handle this. I don’t blame you.

In emergencies, we can only mitigate threats if one of you or yours are in control.. Just a week ago we faced the problem of the Dolphins stadium being hacked and malicious code being put on it:

1. We tracked down all the IP addresses involved and mitigated them (by we I mean also people other than me. Many were involved).
2. We helped the Dolphins Stadium IT staff take care of the malicious code on their web page - Specifically Gary Warner).
3. We coordinated with law enforcement.
4. We coordinated that no one does a press release which will hurt law enforcement.
5. We did a lot more. Including actually convincing a Chinese registrar to pull one of the domains in question. A miracle. There was another domain to be mitigated, unsuccessfully.

One thing though - at a second’s notice, this could all be for nothing as the DNS records could be updated with new IP addresses. There were hundreds of other sites also infected.

Even if we could find the name server admin, some of these domains have as many as 40 NSs. That doesn’t make life easy. Then, these could change, too.

This is the weakest link online today in Internet security, which we in most cases can’t mitigate, and the only mitigation route is the domain name.

Every day we see two types of fast-flux attacks:
1. Those that keep changing A records by using a very low TTL.
2. Those that keep changing NS records, pretty much the same.

Now, if we have a domain which can be mitigated to solve such
emergencies and one of you happen to run it, that’s great…
However, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. Sorry for the language.

ICANN has a lot of policy issues as well, and the good guys there can’t help. ICANN has enough trouble taking care of all those who want money for .com, .net or .xxx.

All that being said, the current situation can not go on. We can no longer ignore it nor are current measures sufficient. It is imperative that we find some solutions, as limited as they may be.

We need to be able to get rid of domain names, at the very least during real emergencies. I am aware how it isn’t always easy to distinguish what is good and what is bad. Still, we need to find a way.

Members of reg-ops:
What do you think can be conceivably done? How can we make a difference which is REALLY needed on today’s Internet?

Please participate and let me know what you think, we simply can no longer wait for some magical change to happen.

Gadi.

Thousands of malicious domain names and several weeks later, we face the current crisis. The 0day vulnerability is exploited in the wild, and mitigating the IP addresses is not enough. We need to be able to “get rid” of malicious domain names. We need to be able to mitigate attacks on the weakest link - DNS, which are not necessarily solved by DNS-SEC or Anycast.

On Reg-Ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem to be on the agenda of those running DNS:

1. A system by which registrars can acknowledge confirmed bad domains (under strict guidelines) and respond to the reports according to their AUP and ICANN policy, thus “getting rid” of them in a much quicker fashion, is being set up at the ISOTF.
A black list for registrars, if you will. This is far from perfect and currently slow-going. Naturally, this can not be forced on all registrars, nor do the black hat ones, care.

2. A black list for resolvers (hopefully large service providers) is also being created at the ISOTF, so that the risk of visibility of bad domains, as will be defined, can be minimized. Naturally, no provider can be forced to use this list and there are millions of unaffiliated resolvers, etc.

Other options that have been raised as technically possible, but considered unlikely and indeed, bad:

3. Setting up a black list of domain names for TLD servers, for them not to respond on.

4. Creating an alternate root which we could trust.

Another suggestion which was raised:

5. Apply to change the ICANN policy.

We need a solution. This operational issue needs to be added as a main agenda item today so that tomorrow we will be ready to mitigate it. I blame myself to some degree for not raising this with higher echelons 2 and 3 years ago due to respect to those who have been working on DNS for many years, but what’s done is done.

The operational communities do not always know how to voice their needs or the difficulties they face. Nor will everyone agree on what the issues are. It is my strong belief (which is obviously my personal opinion), based on facts we see in daily security operations on the Internet that this issue is paramount, and I am sending here a call for help to the DNS experts of the world: what is our next step to be?

What do we currently intend to do (not my personal opinion):
We are formalizing a letter to ICANN’s SSAC, as they are the top experts on DNS infrastructure security issues, coming from operational folks at the ISOTF dealing with daily usage of the DNS for abuse purposes (and specifically fastflux).

Further, the ISOTF is moving forward with items #1 and #2 as mentioned above. #3 will have to remain as a contingency, #4 we have no influence to affect. #5 is currently being explored.

Are we missing a possible solution? What does the larger community suggest?

Gadi Evron,
ge@linuxbox.org.

Microsoft has confirmed new 0-day type vulnerability related to Animated Cursor handling some hours ago.

The vulnerability (CVE-2007-1765) is being actively exploited to spread backdoor malware. When the workstation is being infected malicious executable wincf.exe will be copied to the machine. This malware will download more Trojans from the address http : //220 . 71.76.189 [Do not visit!].
The main attack vector is Internet Explorer. Readers familiar with MS05-002 remember that MSIE executes cursor files automatically.
This .ani file format is the format of Windows Animated Cursors.

Update: Some AV vendors detect this as Trojan.Anicmoo, TROJ_ANICMOO.AX, Exploit-ANIfile.c, Exploit:W32/Ani.C and Troj/Animoo-U.

If you don’t know about the Julie Amero case, you probably should. The case says all kinds of disturbing things about authorities who don’t take responsibility for the technology under their control, prosecution on the basis of public outrage, total failures of forensic procedures, and media witch hunts. The case has been written about all over the place. Here’s a recent sample:

http://www.internetnews.com/bus-news/article.php/3668451

> All she appears to be guilty of is being utterly clueless about computers.

This seems to be an all-too-common theme. While I think we can all appreciate the support, in terms of outrage over the conviction itself, I wish people wouldn’t keep sounding the “clueless” drum.

(If you don’t have any background on the case, then you’re ignorant of it, correct? You might want to do a search on “Julie Amero.” I’ll wait.)
I recall, way back when I was first getting involved with info tech, an editiorial in “The Computing Teacher” (as it happened). It stated that, even if you didn’t have a computer, the simple fact that you subscribed to the magazine meant you were more tech savvy than 95% of your colleagues. (It was undoubtedly correct.)

Most people only *think* they know about computers. OK, so these smart-alecs know that turning off a monitor means you don’t turn off the computer. Good for them. (I can recall working on machines where, if you did turn off the monitor, you lost the session. Guess who’d be laughing at the smart-alecs in that case …)

I work in some fairly esoteric areas of technology. Any of the bloggers, and even tech rag columnists, that have made comments about cluelessness (on the part of Julie, the school, or even our good friend Mark) would be similarly woefully ignorant of things I take for granted. Everybody is ignorant, only on different topics (to quote another Mark).

I’d say that one of the important points to be made about this whole situation is that society at large is clueless about the technology that is increasingly important in all of our lives. And that includes those of us who supposedly know about it …

Information about the target Web sites of polymorphic worm Allaple has been released. Finnish CERT-FI unit has posted information to Bleeding Edge Threats Wiki database.

According to the report the targets are

www.starman.ee,
www.if.ee and
www.online.if.ee.

Note: The report is not fully visible when browsing with Safari. Firefox on XP and Mac are working OK.

AS Starman is Tallinn-based cable-TV operator and an ISP. If P&C Insurance Company is a subsidiary of Finnish Sampo Group.
Reportedly the worms have absolutely no Command and Control channels in them. I.e. if the author of the worm wants to disable these worms he or she can’t do it. The only solution is to patch these affected machines with MS04-012 - or format these workstations.

The first reports of the worm are from July 2006. This DoS attack is not a minor issue.
If you see this worm in your organization there are some typical characteristics:

* ICMP packets with the mystery string ‘Babcdefghijklmnopqrstuvwabcdefghi’
* HTTP GET requests to www.if.ee
and
* TCP SYN packets to www.if.ee (port 97)

This worm has several names - aka W32/Allaple-B, Rahack.W and Rahack.BB.

According to News.com article Mozilla’s security chief Window Snyder states that

“The researcher has all the power. They control when they disclose it, and they control the idea whether or not the vendor responds in time.”

Very interesting reading.

Kowsik Guruswami sent a message today to DD about using code coverage to help build better fuzzers.

I have many thoughts on this subject. Here is my reply email:

On Mon, 26 Mar 2007, Kowsik wrote:
> We just released rcov-0.1, an interactive/incremental code coverage
> tool to assist in building effective fuzzers.
>
> Quick summary:
>
> - It’s a WEBrick browser-based application (ruby)
> - Uses gcov’s notes/data files to get at blocks and function summaries
> - Interactively/incrementally shows the coverage information while fuzzing
> - Uses ctags to cross reference functions/prototypes/definitions/macros

Hi Kowsik, thanks for this.

I have a few notes though, as I believe this can be taken much further (at least my studies so far show that).

We have three levels or layers (depends on approach):
1. Building better fuzzers (which you cover).
2. Helping the fuzzing process, fuzzing better.
3. Making the process of finding the actual vulnerability once an indication is found (a successful test case, or as they say in QA, a passing one) easier.

Several folks in the past few months have said that fuzzing isn’t new and has been done for years - that much is true.

Some folks also said that fuzzing is as simple as it gets and has no where left to evolve. That is indeed very much false.

Code coverage, static analysis, run-time analysis.. etc. all have a place in the future of fuzzing.
I see fuzzers development in coming years as changing the term “dumb fuzzing” to mean today’s protocol-based smart fuzzing, and “smart fuzzing” being about what interactive changes are happening as you fuzz.

The most that we see today (in most cases) is the engine running undisturbed, while the monitor (if such even exists) being a simple debugger.

Evolving host and network monitoring to use profiling technologies, map functions and paths, watch for memory issues, etc. is fast coming.

Today, changing the action of a fuzzer as it is running is difficult (there is no real Driver, just an Engine). A simple example for this evolution could be watching for CPU uage. If the CPU usage spikes it could mean:
1. We are sending too many requests per second - we should slow down the engine.
2. (if for the thread itself) We are on to something, we should explore this attack (likely 10000 “attacks” we went through) or adjust to a different fuzzing engine to explore that particular section of the program (as we mapped it - code coverage again).

The two don’t easily work together, not to mention even stopping a fuzzer, rewinding it or God forbid running a different one at the same time (on the same instance anyway).

Which brings us to distributed fuzzing… but that’s a whole different subject yet again.

Fuzzing has a long way to go, and we didn’t even really start to explore full intergration with static analysis tools (other than with results).

We had a discussion on the fuzzing mailing list recently about genetic fuzzing, but I dam not really a math geek. Jared can explain that one better… and so on.

All that before we explore uses for fuzzing outside of the development cycle (mostly security QA) and vulnerability research, which is with client-side testing. Perhaps fuzzers will help us force the hand of software vendors to develop more robust and secure code.

Working for a fuzzing vendor I am only too familiar with the Turing halting problem and seeking reality in the midst of eternal runs, but the most interesting thing I found in the past few months (which wasn’t technical) is the clash of cultures between QA engineers and Security professionals. It will be very interesting to see where we end up.

Thanks,

Gadi.

Gadi Evron,
ge@linuxbox.org.

So, I got a new Motorola Q Smartphone. And, of course, the first thing anyone does when they get a new networked device is scan the sucker. I don’t expect any ports to be open (besides the synching ports), so I go for the UDP ports first. The stack on the Motorola is UDP-scanning friendly and I get:

42/udp open|filtered nameserver
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
135/udp open|filtered msrpc
136/udp open|filtered profile
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
445/udp open|filtered microsoft-ds
520/udp open|filtered route
1034/udp open|filtered activesync-notify
1434/udp open|filtered ms-sql-m
2948/udp open|filtered wap-push

Interesting. Now, I just need to generate some test cases and I can start fuzzing those services. I now scan to see what’s open on the TCP side. I honestly don’t expect anything. I start with ports 1-10000. And….port 8000 is open????? That’s a wierd port to be open, so I telnet in to the port, and I get a 4-byte packet of \x00\x00\x00\x69 followed by a packet with the following strings:

“”"
Motorola Test Command#11000
Motorola MCU Data Logger#11006
Motorola DSP Logger#11007
QC Interface#11008
“”"

Hmmmm, another bit of interesting news. And those strings (minus the pound digits) return no info via Google. Further, what are those #[DIGIT] things. And, what sort of logging is being done? For kicks, I tell nmap to scan ports 11,000-11008 on both TCP and UDP. All the UDP ports are dead…but, port 11008/TCP is open. Nice. I now scan all ports through 65535 and I note that port 13000 is also open. So, to recap. I have 13 UDP ports to fuzz and 3 TCP ports to fuzz. I don’t hold much hope for port 8000. It appears to be a poor man’s rpc or something…telling me where other services might be living. Connect to port 8000 and it just dumps it’s data and immediately FINs. 11008 and 13000 don’t respond to the nudging that I’ve been sending down the pipe thus far. I’ve got a little homemade program that I’m running (a stupid little program) which just generates rand() bytes of rand() composition and sends it down the line and waits 6 seconds for a response. Once I can get a single response, I can just run permutations of the successful-response packet in hopes of a second response, ad infinitum….blackbox testing at it’s worst. So, now I’m out of the loop and just waiting for my program to find something and send me an email. I think I’ve hit refresh on my email client 75 times this morning. I’m too impatient to be a decent fuzzer guy. It’s been running for 11 hours! I should have some data by now! … Somewhere in cyberspace, Johnny Disco is laughing at me.

What would be nice (hint hint) would be a pointer to some protocol specs In case anyone has forgotten, my email address is dmitry.chan@gmail.com

!Dmitry

SecureWorks have posted analysis of another Trojan that used to to steal SSL/TLS encrypted data transfered from the victimized PC.

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

• Steals SSL data using advanced Winsock2 functionality
• State-of-the-art, modularized Trojan code
• Spread through IE browser exploits
• Undetected for weeks, months by many AV vendors
• Customized server/database code to collect sensitive data
• Customer interface for on-line purchases of stolen data
• Accounts compromised by stealing data primarily from infected home PCs
• Accounts at top financial, retail, health care, and government services affected
• Data’s black market value at least $2 million

Full article is here.

I read security blogs to stay current. That’s a lie. I read security blogs for the same reason I watch Jerry Springer. I want to see sociopaths and rednecks nutting up over their 20-minutes of fame. So-and-so is leaving this-or-that blog/company/affiliation/whatever and such-and-such is screwing this guy over with rambo litigation….etc. etc. It’s all meaningless, but it’s entertaining and a great way to kill time if you’re all out of good drugs. I think I might be getting jaded, apathetic, or burned out…hmmm, oh well, it doesn’t matter. Here’s some stuff that’ll help you get through another 2 or 3 minutes of your day.

Perhaps the funniest blog entry that I’ve ever read.

In other news…It’s official - Web application scanners are now so bad that I won’t even use them if they’re free. At this point, I am officially divorced from automated application scanners. What I’ve been using, primarily, is Proxies and Firefox browser plugins. Some folks were nice enough to put together a very nice list of Firefox plugins which make the app pen-testers life much easier. Snag it here

!Dmitry

Kevin Finisterre (aka KF) has posted information about ‘victims of stolen Xbox Live accounts’ to FD list, i.e. links to Bungie.net statistics and Microsoft’s Xbox forum threads reporting about the stolen GamerTags.

The case was reported on the mailing list during the weekend already.

Microsoft Points are the currency of the Xbox Live, Xbox Live Arcade and Zune Market Place .

26th Mar: Updated information available here.

HttpOnly cookies are a mechanism Microsoft developed for IE6 SP1 to add some security to cookies. The web developer would set a cookie (for instance the session cookie) to be HttpOnly (both ASP and PHP support setting HttpOnly cookies) and the browser would only ever use that cookie when sending HTTP requests, not when client side scripting asks to read the cookie. This means if there was a cross site scripting flaw on the website the JS wouldn’t be able to use the cookies. The solution isn’t perfect, but it does what it’s meant to do and doesn’t harm anyone.

Support for this is already in the Firefox 3 alphas, if you are inclined to use them, otherwise you’ll have to wait until November or so for the first official ff3 release.

If you are a web developer I suggest you start updating your code to use HttpOnly where applicable.

Over the past few years, I haven’t had the time to attend many security conferences. I happened to be in Seattle for the tail end of the OWASP autumn of code (October of 2006). I had the chance to go out to dinner and chat with many of the leaders in web application security. These are some of the sharpest guys in the industry and OWASP is on the cusp of really taking off. Some of their proposed projects for the Spring of Code will greatly aid the security industry. I already use many of their tools and the financing of innovative, open source security tools is *always* a good thing.

I’m very excited to see that a ’source code scanner’ may be one of the funded tools. As I’ve blogged in the past, there are great ‘frameworks’ (CodeScout and SWAAT to name two), but the meat of the work is always the individual checks. I hope to see a great open source .NET source code scanner in the near future.
If you’re young (of heart or otherwise), full of vim and vigour, and can afford the time, check out their Spring of Code initiative at http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007

!Dmitry

A combination of an XSS in Google Group web site, with a “feature” of Google Gmail integration with Google Groups allows an attacker that can trick you into click on a specially crafted URL to steal:

• All Contacts you’ve ever mailed (Name and Email address)
• Your Gmail authentication token

For more details go to this page.
(NOTE The vulnerability still works as of 2007-03-15 16:12 GMT+0)

Apple has released a “megapatch” that plugs 45 different security holes, these security holes range from vulnerabilities in Apple’s image viewing programs, vulnerabilities in the kernel, vulnerabilities in MySQL server, vulnerabilities in their AppleTalk network protocol and finally vulnerabilities in OpenSSH.

More details can be found here.