A pre tag containing multiple single tags have been known to cause IE to crash.
Update (Jovs, 16 December 2005 11:32:46)
We have just acquired a sample for the MS05-051 malware. These have already been sent to the service team.
Update (Jovs, 16 December 2005 15:06:46)
This is now detected as WORM_DASHER.B.
続きを読む
A 33-year old male from Norway released a Proof of Concept exploit for an unpatched vulnerability related to Microsoft Internet Information Server v5.1.
The exploit works by sending malformed HTTP request, four (4) times to the target server running IIS service just by using only the web browser. “The reason for the four time “rule” for the process to crash is because of an internal counter inside the inetinfo.exe process”, the author added. The vulnerability is present only on virtual directories with the Execute Permission set to Scripts and Executables such as “_vti_bin” and the likes.
This exploit can remotely crash the IIS service process, inetinfo.exe, on the target web server resulting into a Remote Denial of Service (DoS). The vulnerability has been known by Microsoft since January 28, 2005 but no patched has been released up until now.
I have conducted a test and it really crashes the IIS service, inetinfo.exe, on my Windows XP SP0. I am running an IIS service with version 5.1.2600.1. I have entered the following URL address in the address bar of my Internet Explorer (from the other machine) and refreshed it four times.
http://10.10.1.100/<BLOCKED>/.dll/*~0
This is the message that I’ve got from the vulnerable web server.
The 10.10.1.100 is the address of my vulnerable web server.
The * can be any of these ASCII characters:
%01-%1f, %3f, “, *, :, <, >
The last can also be a /
The “~0” can also be one of the following :
“~1”, “~2”, “~3”, “~4”, “~5”, “~6”, “~7”, “~8”, or “~9”
Update (JoneZ, 19 December 2005 22:04:28)
French Security Incident Response Team(FrSIRT) just published an exploit code for this vulnerability.
続きを読む
Just a while back, we received about 1000++ spammed emails with zipped attachment within an hour. The attachment is a sample of the infamous trojan bagle which is to be detected as TROJ_BAGLE.CD. This malware drops “anti_troj.exe” in the %system% directory then creates a registry entry to enable the execution of the malware upon system startup.
Click the following link for the email details: TROJ_BAGLE.CD
Update (JoneZ, 16 December 2005 03:15:35)
After merely 5 hours, we received another wave of trojan bagle. The attachments have similar behavior but differ in MD5 hash. The filename of the unzipped file attachments also differs, the first sample is S3700020.exe while the second is DSC00017.exe.
Update (JoneZ, 16 December 2005 05:05:14)
We already have the sample for the possible worm component of these troj_bagles. Sample already forwarded to the Service Team for processing.
Update (JoneZ, 16 December 2005 06:59:36)
The VR for TROJ_BAGLE.CD is already posted here and the worm component will be detected as WORM_BAGLE.CD.
続きを読む
After a long wait Microsoft released December’s security updates. The said patches address vulnerability found in Internet Explorer and Windows Kernel. Users should apply the necessary patches to avoid attacks that may result from the vulnerabilities addressed by these updates.
MS05-054 – Cumulative Security Update for Internet Explorer (905915)
This is a critical update by Microsoft because a successful attack allows remote code execution. The security update replaces MS05-052 security update which was released earlier. This is critical and users must patch their system immediately.
MS05-055: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523)
This update is only for Windows 2000 with Service pack 4. It is tagged important and users of windows 2000 are encourage to update at the earliest possible time.
続きを読む
Subject: Online Greeting Card Waiting For You
From: Best Postcard
Body:
Hello,
A Greeting Card iswaiting for you at our virtual post office!
Sender: yourdear friend
If you don’t pick upyour Greeting Card within 4 weeks, our postal clerk may discard it!
CLICK this pick-upaddress or COPY and PASTE into your browser :
http://www.{blocked}.{blocked}.ro/postcard.gif.exe
(c) All-Yours Greeting Cards Provided as a free service by All-Yours GreetingCards
http://www.{blocked}.{blocked}.ro
The link provided should already raise a sense of alert since it has a .exe extension.
Update (Zobel, 12 December 2005 21:56:10)
続きを読む
Subject: WE GOT IT!!!!
From: freestuff@paris-hilton-fans.com
Reply-To: freestuff@paris-hilton-fans.com
Date: Wed, 07 Dec 2005 16:56:32 +0100
Body:
HEY WE GOT THE PRIVATE VIDEO!!!! YES PARIS HILTON!!! CLICK HERE TO DOWNLOAD IT ITS JUST THE BEST PART!!! WOW
The link actually goes to this url:
http://{blocked}/{blocked}hiltons_secret.zip
Which when analyzed is actually a kelvir worm.
It now seems that the AIM worm is now also being spammed, and is likely to propagate through email and Instant Messaging.
The file have already been submitted to the service team and is now awaiting detection.
Update (Jovs, 12 December 2005 18:32:08)
続きを読む
Heads up, Microsoft is planning to release their latest updates on December 13, 2005.
According to Microsoft, among the updates are:
- Two (2) Microsoft Security Bulletin affecting Windows. These updates are said to require a restart and will be detectable using the Microsoft Baseline Security Analyzer (MBSA).
- An update for Microsoft Windows Malicious Software Removal Tool
- Two (2) NON-SECURITY High-Priority Updates on Windows Update and Software Update Services (SUS).
- Three (3) NON-SECURITY High-Priority Updates on Microsoft Update and Windows Server Update Services (WSUS)
Read more about these on the Microsoft Advance Bulletin.
続きを読む
Another round of rechnung malware is currently being
spammed…there are still no email details as of now.
Attachment of email is Ebay-Rechnung.pdf.exe and
Telekom-Rechnung.zip.
And once again we are saved by PAK_Generic.001. =)
Update (Jovs, 12 December 2005 17:03:32)
in but now the file is already compressed with .zip.
Update (Jovs, 12 December 2005 17:53:36)
続きを読む
FireFox, and has the possibility of code execution (still testing,
on version 1.5 btw).
ISC has more details on
the said PoC, as well as a workaround. And I’m still trying to get
FireFox to trigger my debugger. Hmmmm….
Update (JJ,
08 December 2005 11:08:53)
the PoC and with FireFox v1.5. While I was waiting for my debugger
to trigger, FireFox resumed its normal operation after around
30seconds to 1 minute given the PoC. The PoC inserted a total of
2,500,000 characters for the title, so i figured, why not make it
larger, say 25,000,000. FireFox “hanged” for a longer time, but was
able to function again. No code execution for me.
Update (JJ,
08 December 2005 17:59:43)
(right now you can trigger it manually. I’ll check out later how to
trigger it when loading an HTML file)
Copy paste a looooooooong string of say, “A”‘s into the URL bar.
Just keep on pasting. And pasting. and pasting. soon you’ll see the
“A”‘s disappear, the system hangs, and Display settings have been
changed. Well at least for my Windows XP Sp2, FireFox 1.5, on a
ShuttleX machine. I’ll try this on other machines later.
Update (JJ,
08 December 2005 19:48:42)
issue, as tests on other types of machines did not reproduce the..
um.. bug. And on the original purpose of this entry, the FireFox
PoC, I’ve contacted ISC on my findings and they too noticed it, but
some of them were able to crash their PC’s. We’ll find out soon
enough. Mozilla already has this on their buglist.
続きを読む