Slashdot Mirror

Try the SANS scanner instead: here. Much more comprehensive detection.

Yes it has. Unfortunately like many Microsoft patches it gives you a nice fuzzy sense of false security. According to Microsoft, I'm nice and safe, but according to Tom Liston's GDIScanner and a quick perusal of the file versions, I'm quite possibly not. Fortunately my virusscanner *does* seem to pick up on this, but that's no thanks to Microsoft.

GDI Vulnerabilities: An open letter to Microsoft

Dear Redmond Folks:

When I was but a wee lad, we lived in a rather large, old house that had, among other charming qualities, a basement that would make even the bravest soul think twice before venturing downstairs. It was cavernous, ill lit, and, quite frankly, always smelled a little funny. My older brother, as older brothers are wont to do, would tell me fantastic stories about why the basement had that odor; generally centering on some unfortunate past residents demise. I hated that basement.

My parents, in a vain attempt to rid the basement of its malodorous twang purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.

And, no matter how many times I begged, bribed and pleaded with my older brother, he would somehow know when I was making my daily trek to the basement and, as I was down there trying to pull the heavy bucket out of the dehumidifier, the lights would suddenly snap off, the basement door would slam shut, and I would hear my older brothers voice wafting down from above: Its cooooooooming..... Its cooooooooming to get you.......

And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water.

Which is, curiously enough, almost exactly the position that Windows users find themselves in today: alone in the dark, unknown terrors approaching, but in their case, having a bucket of water would be an improvement.

MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. Ive read through it far too many times, and I still understand far too little.

Your GDI Scanning Tool is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.

[Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]

What about those old gdiplus.dll files that were all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)

When a third party vendor wants to distribute a Microsoft DLL with their product, dont they have to get permission from you? Wouldnt there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?

Please stop treating your customers like idiots and give us information; information that we can use.

In other words: Turn on the lights and open the door. Were ready to come back upstairs now.

-TL

ISC has published a scanner to identify vulnerable files. Has both a GUI and a command line option. Use a little creative scripting and you can use this to find vulnerable hosts on your network. Patch early, patch often...

And Office Update tells you you're OK. When you're not. And the silly detection tool is too lazy to tell you what files it has found. The ISC has released a tool which will scan and report on what it has found.

Hmm, Nero 6.3.25's toolkit has an obsolete version of GDIPlus.dll. Yes, that's right, Nero 6.3.25 has just been released, without the updated GDIPlus. Yay!

And something has kindly installed "C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL" on my system. Vulnerable, yup. Office Update finds it? Nope.

What we need is a "Seek and Replace" tool to fix all occurences. Microsoft Installer's inane way of (not) handling patches is another nightmare, too (which is why updating Office will be so problematic for MANY people).

These early POC exploits are covered in todays
ISC Diary. Note that now there is a script to generate images to add an Admin level user (username "X").

Not too long until we see a remote shell.

Some people are tlaking about seeing it used in an MSN Messenger worm.

The hard part about patching this one is that a lot of third party software may overwrite the Windows JPEG GDI library with its own older version :-/

After having researched a spyware infection recently, I disagree.

The folks at the CTD filed a complaint [warning: PDF] with the FTC that explains pretty clearly how the crapware can be installed without explicit user approval, and how difficult it is to remove.

And Tom Liston might make a nice expert witness: Follow the Bouncing Malware

Yeah, that sounds good, but it's FALSE. Lots of spyware is installed using known browser security holes. So, a user doesn't even have to click a button, they just have to be using Internet Explorer, and who can fault the normal user for using the browser that came with their computers. Most users don't even know there are other web browsers out there.

Box lasts 20 minutes a breakdown of the data

I think this should be on every computer shop wall, what do you say?

You mean something similar to this where compromised IIS servers are going arround infecting IE???

Yes, it's a worry - it really is... All someone needs to do is make IE infect the IIS servers (presumably a fairly simple task, considering the initial exploitation of the servers was probably scripted anyway) and your dastardly plan will come to fruition.

Why your switched network isn't secure.

Sans offers some great security training, which while not a general "Intro to Linux" does provide some very intensive insight into securing Unix/Linux.

Books can be good, but research them carefuly before you plop down $50 for "linux unleashed" or some other crap book.

Some good books to look at:
UNIX System Administration Handbook (3rd Edition)
by Evi Nemeth, Garth Snyder, Scott Seebass, Trent R. Hein [THE classic Unix admin book, this edition also has some Linux-specific stuff]

Linux Administration Handbook
by Evi Nemeth, Garth Snyder, Trent Hein, Trent R. Hein [Similar to the above, but all Linux specific. Get both if you can.]

Many (not all) OReilly books (especially older ones) tend to be excellent references, e.g. DNS and BIND, Learning the vi editor, Sendmail, Practical UNIX and Internet security, Programming Perl, etc.

One problem you may face is that "Linux" in the "I just installed Suse" sense, is much more than Windows. Where in Windows you'd need to cover basic setup, network config, active directory, basic security, and maybe web server config, in Linux you have all of that plus the functional equivalent of SQL server, Visual Studio, dozens of programming languages, Office, etc.

Good luck! It's a fun ride once you get the hang of it.

What about the rest of you? What links do you check out, and what am I missing?

SANS Internet Storm Center
Provides current Internet port graph history and advisories

CERT's Vulnerabilities page
Provides current Internet virus history and news.

Keynote Internet Health Report
Provides a table of ping times between various Internet backbones and providers. Great for checking if it's your ISP, or the backbone they are attached to that's having a slow day.

I advise everyone to check these out, as they provide a great wealth of information in a nice organized format.

From yesterday's
Diary:
"The ISC would like to go out on a limb and predict that the Internet will not vaporize into a cloud of nothingness this Thursday, but if it does, it's been our pleasure to help stave off its inevitable annihilation this long. "

Remember how you could kill a windows^H^H^H^H^H^H network by setting up your own Primary Domain Controller... AFAIK SMB involves lots and lots of short messages, and many many more calls to xxx.xxx.xxx.255

I like the Internet Storm Center's comment about this "news". From today's
diary:

"The ISC would like to go out on a limb and predict that the Internet will not vaporize into a cloud of nothingness this Thursday, but if it does, it's been our pleasure to help stave off its inevitable annihilation this long."

Jihad Begins Thursday, Internet Predicted to Melt Down by Mid-day

You should probably starting backing up that gig of gmail to local storage. According to a Russian news site, Kaspersky Labs states that terrorists will launch attacks which will paralyze the Internet this Thursday. This tragically coincides with two weeks of script kiddie attacks (which were scheduled to begin this past Sunday) aimed at disrupting the Republican national convention. In addition, many college students are back on campus this week, which provides the e-terrorists and i-subversives with a veritable candyland of insecure boxes on big pipes. Faced with this triple threat, our beloved Internet will surely fall.

The ISC would like to go out on a limb and predict that the Internet will not vaporize into a cloud of nothingness this Thursday, but if it does, it's been our pleasure to help stave off its inevitable annihilation this long.

Click here.

Joel Esler brought to our attention a new version of the brutessh code that has been posted and appears to match the scanning that we have been seeing lately. It appears that we finally have a solution to our mystery. Thanks for all the folks who submitted information and for everyone's time and effort that was put forth to coming up with a resolution!!

SANS internet storm center has a note on this. They have seen increased scriptkiddie activity possibly leading up to this. Started on Sunday. Also read the note on the "drag-n-drop" exploit that is now seen in the wild and only requires you to move the scrollbar for it to install....several scanners are not picking up some of the new binaries being installed.

It's a GOOD thing. Outgoing connection blocking can easily be bypassed by worms or malware, it adds complexity to the firewall

I agree. Complex firewalls have been responsible for lots of security holes. I know of one case, where such a security hole was used by a worm. Other firewall software have had equally serious holes, that could have been abused by a worm.

You can secure a Windows machine without any firewall at all. Just shut down all the services listening for connections from the internet, which should have been the default anyway. If a machine have been secured that way, in most cases installing a third party firewall would actually make the computer less secure.

Microsoft could have removen the need for a firewall by changing the default configuration. Instead Microsoft have chosen to include a firewall, and now turn it on by default. And apparently it is so simple, that there is a chance, the firewall doesn't create any security holes on its own.

From the SANS inst - a PDF file giving step by step, detailed instructions (suitable for newbies!) on how to setup a brand new, un-patched XP box, connect to the I-net, get it all patched and updated *WITHOU* getting it all FUBAR'd in the process.

Good read and should be a mandatory inclusion with every Smith's Club, Wally-World, Shack de Radio, Dell, HP/Compaq, ET-ware, Gamer's Hack Shack or any other end user PC appliance sold.

http://www.sans.org/rr/papers/index.php?id=1298

SANS server is amazingly slow today - here's an alternate:
http://www.cablemodemhelp.com/xpsurvivalguide.pdf

I found NTBugtraq as a nice resource for those brave enough to take the plunge right away. I would suggest joining the listserv and checking out the archives online at http://www.ntbugtraq.com/

SANS has a site as well at http://isc.sans.org/xpsp2.php with user experiences. It looks like most the problems are the usual 3rd party firewall and VPN products breaking, and miscellaneous hardware issues. Though this one might be an issue for some corporate users http://support.microsoft.com/default.aspx?scid=kb; en-us;883606&Product=windowsxpsp2

I was at a SANS conference a while back, and the instructor, Ed Skoudis, explained it as replacing certain operations with equivalents to represent bits. For example, "add 0002h" would be 0, "sub FFFEh", technically equivalent, would be 1. The more replaceable operations a program has, the more it can store. Hydan also encrypts the data with blowfish before storing it.

Read the SANS page mentioned in the article. Well, unless you opt for the RedHat/Suse/Debian patch. The experiences on that page are probably the most comprehensive collection of possible issues. As always, the ISC managed to stay to the point without much hype and crap.

Just in case his site gets /.'ed, here is his impressive list of links. - Jonah Hex in non-karma whore mode.
Downloads
Linux Wipe Tools: Three shell scripts for securely wiping all data from the swap partition, wiping unused disk space on the root partition, or wiping an entire disk, by Thomas C. Greene.

No Messenger: A batch file that eliminates Windows Messenger and fixes the problem of Outlook Express loading slowly when Messenger is absent, by an anonymous friend of The Register.

FileCheck MD5: A free, simple, lightweight MD5 utility for Windows, courtesy of Brandon Staggs.

Errata: A text file containing my various blunders and ommissions in the book (right-click and "save as," or view as HTML). Last updated 6 June 2004.

Links to Other Goodies
Mozilla: A free, open source Web browser and e-mail client for Linux and Windows, feature rich and far more secure than Internet Explorer and Outlook Express. Recommended for novices.

Firefox: A free, open source, stand-alone Web browser for Linux and Windows. Very light and fast. Recommended for intermediate users.

Thunderbird: A free, open source e-mail and news client for Linux and Windows. Recommended for intermediate users.

GnuPG: Gnu Privacy Guard; a free, open source replacement for PGP, for Windows and Linux.

WinPT: Windows Privacy Tools; a free, open source GUI frontend to GnuPG for Windows.

Anonymizer: Various services for anonymous Web surfing, e-mail, chat, etc.

OpenSSH: A free, open source SSH (Secure Shell) client and server for Windows and Linux.

PuTTY: A free, open source GUI frontend to OpenSSH for Windows.

Ethereal: A free, open source network traffic analyzer for Windows and Linux. Windows users will need to install WinPcap before installing Ethereal.

Ad-Aware: A free, closed source adware/spyware scanner for Windows.

SpyBot Search & Destroy: A free, closed source adware/spyware scanner for Windows.

Sam Spade: CGI gateways to numerous online tools, such as whois, traceroute, etc.

SourceForge: A vast repository of open-source software for Windows and Linux. The site can be overwhelming, but it has a search engine to help users locate packages.

GNU Project: The home base of the open source movement. A repository of open source products, chiefly for UNIX-compatible systems.

Security Information
About Internet/Network Security: An informative and useful site dealing with computer and Internet security, with reviews of security products and books, practical howtos and tips, and links to numerous tools and information resources, geared toward beginners and intermediate users.

SANS Institute: An educational and research organization with a vast archive of security research documents, news, and advisories, geared toward intermediate and advanced users.

CERT/CC: Computer Emergency Response Team Coordination Cente

Working version of the article (for now): http://isc.sans.org/diary.php?date=2004-07-23

Its not just hitting google. its hitting all other search engines. according to sans.org internet storm center

I've been getting this for quite a while now. There is a thread on webmasterworld about it. They are pointing to this report about a new MyDoom virus.

Firewalls work both ways, in and out. Which side is "in" and which side is "out" is also just a matter of definition and which network connection you connect to which port.

I think what they meant to discuss is "egress filtering" and this is not by any means a new idea. see "Consensus Roadmap for Defeating Distributed Denial of Service Attacks" at http://www.sans.org/dosstep/roadmap.php from February 2000 for one prior example of this concept.

Luckily, Microsoft can account for nearly half of all security vulnerabilities in 2003 and they also hold the top 10 spots on isc.org for current vulnerabilites. With stats like this, there will be plenty of feedback for Mr. Hachamovitch to warm up with.

According to the PDF linked to in a thread above (here, too), the majority of the banks being targetted aren't US banks. That would be why the US isn't getting involved-- but it COULD be used against US banks. If there was one time I would want law enforcement to make that particular long-jump to a conclusion, this would be it.

And the phone number's bososity is both noted at the end of the complete write up linked to at the end of the article, and something which Google would tell you, if you thought to look.

According to the "complete findings" linked from the article, the phone number belongs to a school in Kansas.

I gravitated towards ISECOM's OPST/OPSA classes because they fill a role I felt was missing in the security class space. Many non-vendor specific security classes have a very narrow tools based focus. While I agree that knowing how to use your tools in a test is important, I feel knowing why and when to use them is far more important. Knowing the politics involved in testing, going over internationally accepted testing practices, and reviewing regional and national legal regulations are just as much part of the job. These things are not merely important, but are required to be successful in your role as a security tester. In addition to the intensely technical aspects of the testing process, this is what the OPST represents; the "professional" side of security testing. Also, the ISECOM classes teach from ISECOM's Open Source Security Testing Methodology Manual (OSSTMM) which provides a much needed methodical framework to bring a scientific method style to the chaotic world of security testing.

The CEH class represents the other kind of class. One that is "flashy", "fun", "exciting", but not overly useful to the serious professional. While I have a lot of respect for Clément (one of the instructors for Intense School), I have very little respect for any organization that markets "hacker" classes. This includes the so-called ethical hacking, applied hacking, exposed hacking, grandmother hacking, squirrel hacking, super-duper 3y3 4m 31337 hacking, or any other fancy way of saying "Learn how to think and act like the bad guys".

While choosing where to spend your time and money, consider the community you are aligning with. If you look at ISACA, SANS, ISC2, ISECOM, etc.. they all have a true dedication to security and the betterment of the global information security community. Contrast the value of being affiliated (via education/certification) with any of those organizations over a piece of paper and a cd of toys.

> Can anyone point to a single free software worm that auto propagated?

How about the lion and ramen worms from 2001? Or how about the fact that someone is trying to convince phatbot/agobot to compile on Linux?

Free software is not impervious to worms. However, due to the diversity of systems, it tends to be far more difficult to write a single exploit.

Then again, Free Software tends to have patches pretty quickly, too. Where's Microsoft with the patch for this latest pair of vulnerabilities in IE?

> Can anyone point to a single free software worm that auto propagated?

How about the lion and ramen worms from 2001? Or how about the fact that someone is trying to convince phatbot/agobot to compile on Linux?

Free software is not impervious to worms. However, due to the diversity of systems, it tends to be far more difficult to write a single exploit.

Then again, Free Software tends to have patches pretty quickly, too. Where's Microsoft with the patch for this latest pair of vulnerabilities in IE?

we recommend that you (*) install and maintain anti virus software (*) if possible turn off javascript, or use a browser other then MSIE until the current vulnerabilities in MSIE are patched.

According to the original source at Internet Storm Center, there are 2 different infections going on. M$ IIS servers are vulnerable to an exploit that is undetectable by current virus scanners. However, visitors to infected servers are safe, because a separate method of infection is used there: a common JavaScript exploit, and a common trojan horse is downloaded. The trojan horse IS detected by current virus scanners, it's a "known" trojan horse.

The linked article was crappy, but thanks to Lars T for pointing out the US-CERT and SANS disucssions on the topic.

The original post mentions a "combination of two unpatched IE security holes", but both the US-CERT and Internet Storm Center only mention javascript and not a specific browser as being able to be compromised by the infected IIS servers.

My question is, how do we know this is an IE-only problem? I ask this because I have several friends whom I'm trying to convince try an alternative browser for security reasons but I don't want to be that guy we all know who goes off about "IE exploits" that turn out to be nothing of the sort.

US-CERT and Internet Storm Center. Less talk, more information.

Excellent article. And this is the number one article on the sans.org reading list. ... Couldn't help noticing number three with its provocative title: Penetration 101.

Excellent article. And this is the number one article on the sans.org reading list. ... Couldn't help noticing number three with its provocative title: Penetration 101.

A paper with step by step instructions on how to update a virgin Windows XP system can be found here: SANS Reading Room: Windows XP, surviving the first day (PDF)

Windows XP: Surviving the First Day

Here is a fairly comprehensive guide, aptly named: Windows XP: Surviving the First Day

It may be related to this morning's Akamai DNS problems. Many large sites aren't easily accessible at the moment.

SANS has a great archive of their webcasts. Typically 2 or 3 each month. Just the Internet Strom Center webcasts alone are very much worth the effort. SANS webcast archive .

Future stuff is here.

SANS has a great archive of their webcasts. Typically 2 or 3 each month. Just the Internet Strom Center webcasts alone are very much worth the effort. SANS webcast archive .

Future stuff is here.