Network Security Blog

The latest iteration of the MyDoom virus is starting to live up to it’s name; they virus starts deleting Excel and Word documents as well as various picture files. I can imagine the cries of pain out there, “Oh no! The virus ate all my pr0n! And my my work files too.” Here are a couple of links to the antivirus sites, and the signature I’m using in Snort. By the way, this signature came from the Snort-signatures mail list, but I already deleted the email, so I can’t give proper credit to the author.

Virus Analysis:
Trend Micro
McAffee Antivirus
Symantec Antivirus

Snort MyDoom.F Signature
alert tcp any any -> any any (msg:”Virus - MyDoom.F Worm”;content:”gICAgICAgICAgICAgICAgICAg”;content:”|57 69 6E 64 6F 77 73 2D 31 32 35 32|”;classtype:misc-attack; rev:1;)

Windows is offering a freeWindows Security Update CD. The CD contains all of the security updates through October 2003, and they will ship it to you for free. I hope they start offering up this type of CD every 3-6 months.

Here’s what I’m going to use mine for. First off, when I build a new system I’m going to update it from the CD before I ever attach it to the Internet. Most of the networks I connect to are pretty well protected, but why take a chance. Second of all, I’m going to burn copies of the CD and give it to all of my friends and relatives to update thier own computers. I’m pretty certain my father hasn’t updated his computer since I helped him set it up. This wouldn’t be the perfect solution, but his desktop will be a lot more up to date with these patches in place. I do have to check the fine print to make sure that Microsoft is okay with the copying of these disks, but they’d be stupid to create an issue over this disk.

So get your copy and use it.

I have a co-worker who is relatively new to the world of network security, and I’ve been looking for tutorials and FAQ’s for him to look at to bring him up to speed. Here are a few of the sources I’ve found so far. I’ll include more as I find them.

• Tutorial: tcpdump from FireTower Information Security
• SNORT FAQ for those new to snort. I’ve had Snort 2.0: Intrusion Detection by Syngress since it first came out, and I highly recommend it. It was written by Brian Caswell, part of the Snort technical team.
• Packet Attack A pretty good listing of tutorials on network analysis tools. They haven’t limited themselves to just Windows or Linux, which is nice.

More to come as I find it.

Ooops.

Apparently someone leaked 660 megs (out of 40 gigabytes) of the Windows source code. It went out on several filesharing networks and is now on the hard drives of thousands of hackers, script kiddies, and average users. This is just a fraction of the total Windows source code, but it is probably enough for some of the more savvy hackers to start writing viruses and worms that take advantage of hooks the Microsoft writers may have left behind.

• NeoWin - Exclusive: Windows 2000 & Windows NT 4 Source Code Leaks
• ZDNet UK - Windows 2000 source code posted online
• BBC News - Q&A: Microsoft source code leaked

  Update:

• Eweek - Windows Source Leak Traces Back to Mainsoft - Looks like the source of the source code has been found!

The ASN.1 vulnerability that has been patched by Microsoft’s latest download is classified as a heap overflow. What exactly is a ‘heap overflow’ you might ask? Here’s an article that will hopefully explain it to you

-Heap Overflows-

The extended entry contains the body of an email sent to the CISSP mailing list by Bill Royds. This is a slightly simpler and more easily read explanation of heap overflows.

Continue Reading »

Earlier this week Microsoft released a patch for a vulnerability in the ASN.1 library, and many experts are saying that this may be the single vulnerability ever discovered. This vulnerability affects all versions of Microsoft Windows based on the NT kernel, which is NT, 2000, XP and 2003. ASN.1 is used as a base library in many different modules in Windows, including Kerberos, NTLMv2, and IIS using SSL. Here are some links to information about the vulnerability.

• Microsoft Technical Bulletion MS04-007 ASN.1 Vulnerability Could Allow Code Execution. The stuff right from the horses … mouth.
• Eeye Security Advisory These are the guys that discovered the vulnerability and reported it to Microsoft. Two hundred days before Microsoft fixed it, that is. Oh yeah, they have 7 more vulnerabilities they’ve told M$ about, and 5 of them are considered to be of high severity.
• SearchSecurity An article about the possibilities from the vulnerability.

So get yourself patched!

This came up on one of the mailing lists I subscribe to.

Government agency exposes day-care data

Apparently a programmer looking for help on a sticky problem posted the live database from a daycare center on a site used for programming help. The database contained a lot of very personal information, including schedules and current address. Not the sort of thing you want getting out.

Over the last few weeks I have really gotten to like watching The Screen Savers. What I like the most about the show is that they try to have topics that are interesting to the geek in me, while still trying to be accessable to the average home user. I figure if my wife can understand what they are talking about, most people should get it. Not that the wife has limited mental faculties, but she usually only listens with one ear while cooking dinner and fending off small hands that want to play with the knobs on the stove. I also think Jessica Corbin is pretty easy to look at, but no need to tell my wife that.

Anyhow, last night they had a piece on with Ed Skoudis, pimping his new book “Malware: Fighting Malicious Code.” I haven’t seen the book yet, and I probably won’t any time soon, but I liked the piece and I really liked the web page they put up to support it. I’ve written before on some of the basics of securing your personal computer, but this article brings up something I’ve never really worried about before, spyware. You know, all those little programs and cookies that web advertisers install on your computer when your not looking. This is getting to be a real concern, as the software is becoming more invasive, and the advertisers are worrying less about whether they annoy you.

Continue Reading »

Internet Security Systems has released a set of vulnerability alerts for Checkpoint Firewall-1. Each of these vulnerabilities can allow remote compromise of the affected system. There is no patch expected to mitigate these vulnerabilies, since Firewall-1 is no longer supported by Checkpoint. Their advice is to upgrade to Checkpoint NG.

Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow

Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities

Here’s a pretty good article from ComputerWorld on what to do (and what not to do) if you get hacked, at least in the corporate world. The main point they make is that once you have contacted the authorities, quit playing with the system. Any changes you make to the system will only make the job of tracking down and prosocuting the hacker that much harder.