Wednesday, November 18, 2009
Rule release for today - November 18th, 2009
Rules added and modified in several categories. As usual, go here: http://www.snort.org/vrt/advisories/2009/11/18/vrt-rules-2009-11-18.html for the changelog.
Wednesday, November 11, 2009
November 2009 Vulnerability Report
Sourcefire VRT Vulnerability Report November 2009 from Sourcefire VRT on Vimeo.
November Vulnerability Report.
This month, Alain Zidouemba talks about Microsoft Patch Tuesday, the SSL renegotiation flaw and the iPhone worm.
Tuesday, November 10, 2009
Microsoft Tuesday Coverage for November 2009
A number of advisories from Microsoft this month, expect us to cover the most pressing ones in our upcoming Vulnerability Report. For now, here's a quick overview:
Microsoft Security Advisory MS09-063:
The Web Services on Devices API (WSDAPI) in Microsoft Windows Vista contains a programming error that may allow a remote attacker to execute code on an affected system.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16227.
Microsoft Security Advisory MS09-064:
A vulnerability in the Microsoft License Logging Service may present a remote, unauthenticated attacker with the opportunity to execute code on a vulnerable system.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 16238 and 16239.
Microsoft Security Advisory MS09-065:
A vulnerability exists in the Windows kernel that may allow a remote attacker to execute code on a vulnerable system.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 16231 and 16232.
Microsoft Security Advisory MS09-066:
A programming error in the Microsoft Active Directory NTDSA implementation may allow a remote attacker to cause a Denial of Service (DoS) against an affected system.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16237.
Microsoft Security Advisory MS09-067:
Multiple vulnerabilities exist in Microsoft Excel that may allow a remote attacker to execute code on an affected system.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 16226, 16228, 16229, 16230, 16233, 16235, 16236, 16240 and 16241.
Microsoft Security Advisory MS09-068:
A vulnerability in Microsoft Word may allow an attacker to execute code on an affected system via the processing of a specially crafted Word document.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16234.
Changleogs on snort.org here: http://www.snort.org/vrt/advisories/2009/11/10/vrt-rules-2009-11-10.html
Microsoft Security Advisory MS09-063:
The Web Services on Devices API (WSDAPI) in Microsoft Windows Vista contains a programming error that may allow a remote attacker to execute code on an affected system.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16227.
Microsoft Security Advisory MS09-064:
A vulnerability in the Microsoft License Logging Service may present a remote, unauthenticated attacker with the opportunity to execute code on a vulnerable system.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 16238 and 16239.
Microsoft Security Advisory MS09-065:
A vulnerability exists in the Windows kernel that may allow a remote attacker to execute code on a vulnerable system.
Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 16231 and 16232.
Microsoft Security Advisory MS09-066:
A programming error in the Microsoft Active Directory NTDSA implementation may allow a remote attacker to cause a Denial of Service (DoS) against an affected system.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16237.
Microsoft Security Advisory MS09-067:
Multiple vulnerabilities exist in Microsoft Excel that may allow a remote attacker to execute code on an affected system.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 16226, 16228, 16229, 16230, 16233, 16235, 16236, 16240 and 16241.
Microsoft Security Advisory MS09-068:
A vulnerability in Microsoft Word may allow an attacker to execute code on an affected system via the processing of a specially crafted Word document.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16234.
Changleogs on snort.org here: http://www.snort.org/vrt/advisories/2009/11/10/vrt-rules-2009-11-10.html
Thursday, November 5, 2009
DoJoSec meeting - November 5th
Tonight's DoJoSec has a change in lineup, since Lurene is on the PUP list for today, Matt Olney is stepping in to take her place and give a talk on "Custom Intrusion Detection Techniques for Monitoring Web Applications". This is something similar to the presentation he will give next week at OWASP Appsec DC 09 in that it has the same title. However, tonight's presentation will not be the same talk, instead it is geared more towards the audience for DoJoSec.
If you can attend, we'll see you there. There will be a few of us on hand to answer questions and chat about general security issues.
If you can attend, we'll see you there. There will be a few of us on hand to answer questions and chat about general security issues.
Wednesday, November 4, 2009
DoJoSec and DoJoCon
Tomorrow evening, starting at 6:00 pm, Capitol College, Laurel MD. Lurene Grenier will be giving a presentation on Byakugan. Following this event, on Friday morning, our Senior Director of the Vulnerability Research Team, Matt Watchinski, will be speaking at DoJoCon.
Check here for DoJoSec: http://www.saecur.com/dojosec.php
Check here for DoJoCon: http://www.dojocon.org/
Members of the VRT will be present at both events, and on Friday and Saturday they will be in attendance at the Sourcefire booth for DoJoCon. Come along with questions if you like or just to say hi.
Check here for DoJoSec: http://www.saecur.com/dojosec.php
Check here for DoJoCon: http://www.dojocon.org/
Members of the VRT will be present at both events, and on Friday and Saturday they will be in attendance at the Sourcefire booth for DoJoCon. Come along with questions if you like or just to say hi.
Tuesday, November 3, 2009
Rule release for today - November 3rd, 2009
Adobe Adobe Adobe Adobe, we thought you only did patch releases once per quarter, guess we were wrong. Anyway, a few vulnerabilities with Shockwave. Get your rules on here: http://www.snort.org/vrt/advisories/2009/11/03/vrt-rules-2009-11-03.html
Monday, November 2, 2009
Paranoia and the rise of fake antivirus
This weekend I got a call from my father, who wanted my advice as the computer security guy in the family. It seems that my younger sister's laptop had become infected with a nasty little virus called Block Watcher, which had popped up a series of messages telling her that her computer was infected with a virus, and that she should go and purchase their product - for the low, low price of $30 - in order to clean her machine. Recognizing that something wasn't right, my sister called my father, who had in turned called me with his theory on how to best remove Block Watch, since his early attempts had been unsuccessful.
I quickly suggested that he Google for a removal tool, since modern malware is much more difficult to remove than anything he'd be familiar with (his last experience removing a virus was some time in the early-to-mid 1990's). A half-hour or so later, he called back, and said that while he'd found a removal tool, something about the site made him uneasy, and he wanted me to take a look and see if I could tell whether it was legitimate. When I pulled up the site - hxxp://removal-tool.com (WARNING: LIVE MALWARE!) - it seemed just as odd to me as it had to him, so I decided to do a bit of research on the site itself. When I put the domain name itself into Google, one of the first hits was a blog post from respected malware researchers TrendMicro showing how this exact site was delivering malware itself!
I downloaded a copy of the executable that the site suggested could be used to remove Block Watch and ran it through the free ThreatExpert.com analysis tool; the results are here. In addition to creating several files and registry entries on the target machine, the program opened up UDP port 1053 - as clear of a sign of a back door as you'll ever get (in fact, SANS shows a recent uptick in activity on this port, and lists a pair of trojans associated with it.
The question I'm sure you have by now is, "So what? Why do I care?". The answer is simple: this sort of fake anti-virus scam is on the rise, and many users on networks that you run and/or are charged with defending aren't as suspicious as my father and my sister. In fact, according to a recently released report from Symantec, there were roughly 43 million attempts to install fake anti-virus software between July 1, 2008, and June 30, 2009. If you're watching over even a moderately large network, chances are that at least a few of your users have run across something like this.
Clearly, it's in your best interests as a network security professional to educate your users about scams like these - perhaps with the simple rule of thumb that "if any program on your system tells you that you have a virus, contact the IT department immediately." It doesn't hurt to run the VRT Certified rule set, either, since our spyware category contains rules for some of the most prevalent threats, like Spyware Guard 2008 (SIDs 16134 & 16135).
Oh, and whatever you do, don't trust McAfee's SiteAdvisor for a determination on whether a particular web site is clean - they rate removal-tool.com as clean, despite the fact that 11 of the 17 user-submitted reviews on McAfee's own page say the page contains "Adware, spyware, or viruses". Clearly someone over there isn't paying attention. ;-)
I quickly suggested that he Google for a removal tool, since modern malware is much more difficult to remove than anything he'd be familiar with (his last experience removing a virus was some time in the early-to-mid 1990's). A half-hour or so later, he called back, and said that while he'd found a removal tool, something about the site made him uneasy, and he wanted me to take a look and see if I could tell whether it was legitimate. When I pulled up the site - hxxp://removal-tool.com (WARNING: LIVE MALWARE!) - it seemed just as odd to me as it had to him, so I decided to do a bit of research on the site itself. When I put the domain name itself into Google, one of the first hits was a blog post from respected malware researchers TrendMicro showing how this exact site was delivering malware itself!
I downloaded a copy of the executable that the site suggested could be used to remove Block Watch and ran it through the free ThreatExpert.com analysis tool; the results are here. In addition to creating several files and registry entries on the target machine, the program opened up UDP port 1053 - as clear of a sign of a back door as you'll ever get (in fact, SANS shows a recent uptick in activity on this port, and lists a pair of trojans associated with it.
The question I'm sure you have by now is, "So what? Why do I care?". The answer is simple: this sort of fake anti-virus scam is on the rise, and many users on networks that you run and/or are charged with defending aren't as suspicious as my father and my sister. In fact, according to a recently released report from Symantec, there were roughly 43 million attempts to install fake anti-virus software between July 1, 2008, and June 30, 2009. If you're watching over even a moderately large network, chances are that at least a few of your users have run across something like this.
Clearly, it's in your best interests as a network security professional to educate your users about scams like these - perhaps with the simple rule of thumb that "if any program on your system tells you that you have a virus, contact the IT department immediately." It doesn't hurt to run the VRT Certified rule set, either, since our spyware category contains rules for some of the most prevalent threats, like Spyware Guard 2008 (SIDs 16134 & 16135).
Oh, and whatever you do, don't trust McAfee's SiteAdvisor for a determination on whether a particular web site is clean - they rate removal-tool.com as clean, despite the fact that 11 of the 17 user-submitted reviews on McAfee's own page say the page contains "Adware, spyware, or viruses". Clearly someone over there isn't paying attention. ;-)
Thursday, October 22, 2009
Rule release for today - October 22nd, 2009
A few modifications in this release, most notably a fix for a false positive issue that raised it's ugly head from the Microsoft Tuesday release.
Microsoft Security Advisory (MS09-059):
A vulnerability in the Microsoft Local Security Authority Subsystem Service (LSASS) may allow a remote attacker to cause a Denial of Service (Dos) against an affected system.
A previously released rule to detect attacks targeting this vulnerability has been modified to reduce the incidence of false positive events. It is included in this release and is identified with GID 3, SID 16167.
As always, changelogs: http://www.snort.org/vrt/advisories/2009/10/22/vrt-rules-2009-10-22.html
Microsoft Security Advisory (MS09-059):
A vulnerability in the Microsoft Local Security Authority Subsystem Service (LSASS) may allow a remote attacker to cause a Denial of Service (Dos) against an affected system.
A previously released rule to detect attacks targeting this vulnerability has been modified to reduce the incidence of false positive events. It is included in this release and is identified with GID 3, SID 16167.
As always, changelogs: http://www.snort.org/vrt/advisories/2009/10/22/vrt-rules-2009-10-22.html
Snort 2.8.5.1 Release
Hot on the heels of the Snort 2.8.5 release, a new Snort tarball is now available that fixes a few issues:
- Fixed syslog output when running on Windows.
- Fixed potential segfault when printing IPv6 packets using the -v option. Thanks to Laurent Gaffie for reporting this issue.
- Fixed segfault when additional policies were added during a configuration reload.
Wednesday, October 21, 2009
Rapid7 make bold statement acquiring Metasploit Project
Normally the acquisition of an Open Source product by a commercial product wouldn’t make the VRT blog, but in this case I believe this acquisition is going to cause some interesting developments in the threat landscape and in the vulnerability management space. I also think this is a very bold endeavor for a vulnerability management company like Rapid7, more on that in a bit.
First up a quick Troll shoot.
On the Vulnerability Management side, I think this changes the game for guys like nCircle and Tenable as Rapid7’s NeXpose™ product will be the only Vulnerability Management tool that can actually prove what it is reporting. It also gives Rapid7 the interesting advantage of being able to live test mitigation strategies and defenses. This is something that other vulnerability management solutions can’t do out of the box. That said it is going to be interesting to see how this integration takes place, and how many people are willing to click the “exploit host” button if that is how it is done.
Outside all that, I always loving seeing Open Source products make it into the commercial game as it continues to show the value of Open Source in the enterprise, and that just because software is free doesn’t mean it’s not worth more than the sum of all its license text.
First up a quick Troll shoot.
- The license for Metasploit stays BSD.
- Metasploit continues to be a community driven project.
- When an Open Source project gets commercial backing the developers on that project don’t need day jobs anymore. They also get resources, tools, and budgets. This in my opinion means a lot of new code for this project in a short period of time. I saw exactly this when I started with Sourcefire almost 7 years ago, no more small releases just big old feature releases.
- Faster exploit development. If you have resources and people you can quickly setup development environments, test things, reverse things, and build Metasploit modules. I’m guessing the number of exploits in Metasploit will quickly eclipse CORE and Immunity within a 6-month timeframe. I’m guessing this will follow the same course as with the Sourcefire VRT; go from 3k rules to 5k rules overnight.
- Stability and Reliability. If you buy something you want it to work and if you’ve got resources your Open Source users expect a higher quality product. I’d assume they are going to hit this area first.
On the Vulnerability Management side, I think this changes the game for guys like nCircle and Tenable as Rapid7’s NeXpose™ product will be the only Vulnerability Management tool that can actually prove what it is reporting. It also gives Rapid7 the interesting advantage of being able to live test mitigation strategies and defenses. This is something that other vulnerability management solutions can’t do out of the box. That said it is going to be interesting to see how this integration takes place, and how many people are willing to click the “exploit host” button if that is how it is done.
Outside all that, I always loving seeing Open Source products make it into the commercial game as it continues to show the value of Open Source in the enterprise, and that just because software is free doesn’t mean it’s not worth more than the sum of all its license text.
Subscribe to:
Posts (Atom)
Posts
