Emerging Threats News http://www.emergingthreats.net 2008-05-11T22:45:15+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/images/M_images/joomla_rss.png text/html 2008-05-05T13:27:30+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/65/9/ Seeing how Srizbi has overtaken Storm as most widespread I thought we should have some sigs for the common Srizbi loader url's as we've been doing for Storm. There's been a lot of good feedback on those. Definitely helps tip an admin off to a possible infection, or stop one if you're blocking. The latest spams for Srizbi advertise URL's ending in /My_foto.exe, which ought to be relatively unique. Will just run this till thy move to the next big thing. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: ET CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe) ; flow:established,to_server; uricontent: /My_foto.exe ; nocase; classtype:trojan-activity; sid:2008188; rev:1;) text/html 2008-05-05T13:22:24+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/64/9/ I dropped the April Fools Day Storm sigs from Current Events, replaced with the latest, /load.exe. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe) ; flow:established,to_server; uricontent: /load.exe ; nocase; content: |0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a| ; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/61; sid:2008077; rev:5;) Thanks to Jeremy at Sudosecure.net for the update! text/html 2008-05-05T13:16:38+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/63/9/ New sigs sent in by Adam Pointon of SentinelSecurity.net. One for Paros Proxy, a web app scanner (http://www.parosproxy.org (http://www.parosproxy.org)). That's available here: http://doc.emergingthreats.net/2008187 (http://doc.emergingthreats.net/2008187) And another for DirBuster, another scanner from OWASP (http://www.owasp.org). Sig available here: http://doc.emergingthreats.net/2008186 (http://doc.emergingthreats.net/2008186) Good stuff, thanks for sharing Adam! text/html 2008-04-29T10:35:47+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/62/9/ Frank Knobbe has put a good deal of time into Snortsam and solved a few lingering issues and made some great new additions. If you use Snortsam or want to, this is the version to get going. The new source is available at http://www.snortsam.net/files/snortsam/snortsam-src-2.55.tar.gz (http://www.snortsam.net/files/snortsam/snortsam-src-2.55.tar.gz) More from Frank: Greetings,I just committed to CVS what I consider to be a significant update,which includes the following changes:* Increased stability of the Forwarder plugin in regards to persistentconnection handling. In the past, dropped connections (lost remoteSnortsams) would cause a crash which could lead to cascading crashesalong the Snortsam chain. Very aggravating :) That's been fixed and sofar I have not observed anymore crashes when either the sending orreceiving Snortsam resets the persistent TCP connection or goes offline.Looks pretty stable. I highly recommend persistent TCP connectionsbetween Snortsams now.* Changed DONTBLOCK and OVERRIDE such that they now properly recognizeall associated IP addresses for a given host name. So, when youwhite-list, for example, www.cnn.com (http://www.cnn.com/), it no longer white-lists only thefirst IP address, but all of them.* Wrapped certain thread-unsafe functions (for example usleep) intomutex locks. This should hopefully fix any threading errors on Linux andother platforms. PLEASE, try this out. Remove and 'nothreads' from the config, and add'forcethreads'. Then see if Snortsam runs fine, or if it locks up againafter a while. It should do well now, but it if still locks up, I'd liketo hear about it.* The PIX plugin, as well as the Cisco Null Route and Email plugins,have been extended such that they will check (after the firstblock/email) if there are more block/unblock requests in the queue. Ifso, they will leave their connection to the PIX/router/mailserver openand logged in. They will skip the login part on the next block and reusethe existing session. Only if there are no more requests in the queuewill they logoff and disconnect.So they don't complete a full logon-block-logoff-logon-block-logoffsequence if more than one IP address is to be blocked. Instead theyperform a logon-block-block-logoff sequence. This is especially helpfulfor reloads (USR1 signal) where potentially thousands of IP's arereblocked in one session. They now all get shunned in one logon session,dramatically improving speed and efficiency.The Block function of all plugins have been modified to accept a read-pointer to the queue (it's actually not a pointer, but it soundsbetter). Telnet-based plugins can use the boolean functionmoreinqueue(readpointer) to check if more requests are waiting in thequeue, and then act accordingly. This is enabled only formulti-threading plugins. For example, if you change the threading-modelof the PIX plugin from TH_MULTI to TH_SINGLE or TH_NONE, the functionwill always return FALSE so that only one action is performed per Blockinvocation. (This is to conform with the functionality that TH_SINGLEdescribes, to complete one device of the given plugin type at a time.That includes a complete logon-logoff cycle.)I highly recommend everyone upgrades to this version (2.55). text/html 2008-04-25T23:24:36+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/61/9/ From the BASE Team: The BASE project team is thrilled to announce that the 1.4.0 (katherine) release of the Basic Analysis and Security Engine (BASE) is available for download from http://sourceforge.net/projects/secureideas (http://sourceforge.net/projects/secureideas)This release is the next in a series of improvements that we hope make BASE the best choice in IDS analysis and reporting. With this release we have continued to fix bugs that are reported and update thesystem to perform faster, better and more reliably. Our graphing system continues to improve with the work of Jeurgen and various additions to our debugging have been added. A notable new feature is the world map within BASE.Again, we would like to thank everyone for their support and if there are any problems, please either contact us at base@se... or post to the sf.net site at http://sourceforge.net/projects/secureideas (http://sourceforge.net/projects/secureideas)Thanks,Kevin Johnson and the BASE project team text/html 2008-04-24T11:40:14+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/60/9/ The Shadowserver guys have sent over a signature for the password stealer trojan resulting from the latest round of massive site hacks. More on their blog here:http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424 (http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424) Signature 2008169 has been posted. This signature is proving very accurate, please take any hits very seriously!http://doc.emergingthreats.net/2008169 (http://doc.emergingthreats.net/2008169) Matt text/html 2008-04-21T12:03:39+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/59/9/ Now that everything is stable from the move to Emerging Threats, it's time to change the file names of the rulesets. Wednesday 4/23/08 we will be changing files named bleeding-* to emerging-*. This is a cosmetic change only, all the rules have already been renamed. In the tarballs and in the web directories we will keep links from the new names to the old, so any rule managers ought to not break. But please change to the new names soon as we'll eventually drop the links. You can change now to the new tarball url:http://www.emergingthreats.net/rules/emerging.rules.tar.gz (rules/emerging.rules.tar.gz) or http://www.emergingthreats.net/rules/emerging.rules.zip (rules/emerging.rules.zip) ANd as always all the rules are available to browse in that durectory:http://www.emergingthreats.net/rules/ (rules/) Matt text/html 2008-04-14T09:09:30+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/58/9/ Enhanced has put up a very good how to for installing and configuring SnortSam, Snort and Squid on FreeBSD, It'll help you out with any other OS as well, but FreeBSD has a few extra steps (but many advantages). You can read it here:http://global-security.blogspot.com/2008/04/block-bad-oss-ips-with-content.html (http://global-security.blogspot.com/2008/04/block-bad-oss-ips-with-content.html) Great Blog to keep up with, highly recommend it! Matt text/html 2008-04-10T14:17:39+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/57/9/ As you may know, Cyber-ta (http://www.cyber-ta.org (http://www.cyber-ta.org) ) is one of the projects we're working very closely with to bring some new tools and research to the Emerging Threats and Snort community. They've just released a new information source called MTC, Malware Threat Center. There's a press release here with much more detail: http://www.marketwire.com/mw/release.do?id=842518 (http://www.marketwire.com/mw/release.do?id=842518) And of course the actual MTC is available here:http://mtc.sri.com (http://mtc.sri.com) The project has only begun, so if you see new ideas or data that could benefit the community pleaselet them know, or let us know and we can pass on the information. Matt text/html 2008-04-09T12:06:25+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/56/9/ Some great intelligence from Joe Stewart at Secureworks (http://www.secureworks.com) . Seems that the Bobax spam has some very unique and sig'able message-id fields. If you block on these you ought to reduce the load on your spam filtering systems significantly. Load ought to be manageable even though it's pcre.In the first one Bobax has a consistently long and setup message-id. It also uses a lower case d in Id, where the norm is all upper. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id) ; flow:established,to_server; content: Message-Id\: < ; pcre: /Message-Id\: <[0-9A-Z]\.\d\.\d@[A-Z]>/ ; classtype:misc-activity; sid:2008121; rev:1;)Here we have a predictable string in the message id, and the same lowercase d. The trailing info is usually a domain name.alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id) ; flow:established,to_server; content: Message-Id\: < ; pcre: /Message-Id\: <[A-Z0-9]EJXVWDA\d\d\d@/ ; classtype:misc-activity; sid:2008122; rev:1;)These will change over time of course, but they'll be good for a while. Please let me know how these fare! Be sure to pull sigs from the repository and not here, changes may not be reflected here in the future. text/html 2008-04-09T10:13:26+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/55/9/ The guys at Openpacket.org are finally out of development and have released a working project. This has been in the works for a while, and is a VERY much needed service for the security and networking community. The basic idea is us in the community submit pcaps to openpacket, they archive and index them. Why would this be useful? I'll tell ya. How many times have you gone to write a signature about some protocol but weren't sure what normal traffic on that port looks like? Normally we'd then go somewhere to find that protocol in use, get pcaps, wait, grab the wrong stream, try again, finally get a sample pcap. Well, now you can just go there, search for stuff, downlaod and go. If you have a pcap that was useful to you you can add it to the archive. From the Emerging Threats persepctive, we're going to try hard to put pcaps of exploits up on openpacket.org and use those as references from documentation about rules. That'll help us go back in time and figure out what the heck we were thinkign when we wrote a rule. Anyway, congratulations to Richard and the guys at Openpacket. They've been working hard to get this online. Here's a reference to the announcement:http://taosecurity.blogspot.com/2008/04/openpacketorg-10-is-live.html (http://taosecurity.blogspot.com/2008/04/openpacketorg-10-is-live.html) And the site itself is http://www.openpacket.org (http://www.openpacket.org) text/html 2008-04-09T09:27:20+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/54/9/ Had a really cool set of sigs from Nathaniel Richmond. These detect TFTP to an external host. As you know a lot of the win32 works out there still use tftp to move binaries after infection, so these are of particular interest. If you're using tftp over the internet (you shouldn't be) don't use these, or set suppression rules for known hosts.#by Nathaniel Richmondalert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg: ET POLICY Outbound TFTP Read Request ; content: |00 01| ; depth:2; classtype:bad-unknown; sid:2008120; rev:1;)alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg: ET POLICY Outbound TFTP Write Request ; content: |00 02| ; depth:2; classtype:bad-unknown; sid:2008116; rev:1;)alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg: ET POLICY Outbound TFTP Data Transfer ; content: |00 03| ; depth:2; classtype:bad-unknown; sid:2008117; rev:1;)alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg: ET POLICY Outbound TFTP ACK ; content: |00 04| ; depth:2; classtype:bad-unknown; sid:2008118; rev:1;)alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg: ET POLICY Outbound TFTP Error Message ; content: |00 05| ; depth:2; classtype:bad-unknown; sid:2008119; rev:1;) text/html 2008-04-07T18:48:34+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/53/9/ Whatever it turns out to be, we have some test sigs for it. References below to a Dambala release of the new 400k node botnet. Appears to be an existing well known one not nearly that large.2008103 through 2008110 are out for it, initial draft type sigs. The bot uses port 447 UDP mostly to communicate, but also seems to once in a while do a large transfer on TCP 447. This port is reserved for ddm-dfm Distributed File Management. Very rarely used as far as we can tell. The signatures above count on the fact that even if this is used it's likely not used over public networks. Please let us know if this isn't true. If you do use this protocol locally please consider a pass or suppression rule until we get better sigs.References:http://www.incidents.org/diary.html?storyid=4256 (http://www.incidents.org/diary.html?storyid=4256) http://isc.sans.org/diary.html?storyid=4250 (http://isc.sans.org/diary.html?storyid=4250) http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/ (http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/) (also may be FUD)Wiki at http://doc.emergingthreats.net/bin/view/Main/OdeRoor (http://doc.emergingthreats.net/bin/view/Main/OdeRoor) Please report any falses at all! text/html 2008-04-03T15:56:35+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/52/9/ Put three new signatures up regarding UPnP. No new exploit or vulnerability, but we're seeing malware samples that are going straight to the local router on TCP UPnP port 2555. This is unusual, normal UPnP starts with UDP port 1900 to do discovery. http://doc.emergingthreats.net/2008092 (http://doc.emergingthreats.net/2008092) This sig will find Internal to Internal UPnP requests on port 2555. These are legal, but not normal. If you see this on a non-home network it's likely something you'll want to follow up on if you weren't doing it on purpose. http://doc.emergingthreats.net/2008093 (http://doc.emergingthreats.net/2008093) This is similar to above, but for requests coming from outside to your perimeter or internal net. This is never a good thing to have happening, and with recent issues of routers coming out of the box with external administration enabled, you'll want to know about these. http://doc.emergingthreats.net/2008094 (http://doc.emergingthreats.net/2008094) Similar here, from outside to your local net, but the TCP port 2555 version. This is not a normal discovery protocol, someone's trying to access your systems. Definitely needs attention! Please report any issues! Matt text/html 2008-03-26T17:17:27+01:00 http://www.emergingthreats.net http://www.emergingthreats.net/content/view/51/9/ Nginx ( http://nginx.net/ (http://nginx.net/) ) is a good http server and proxy. used in a lot of places for legitimate things. Unfortunately it's used most often in hosting or redirecting for malicious sites. I've added sig 2008054 (http://doc.emergingthreats.net/2008054) to catch these. This doesn't necessarily mean 100% that traffic is hostile, but it's worth checking into. As always please report any issues! UPDATE: The existing sigs didn't work, too many legitimate sites using nginx. Have added two signatures to catch modified server version strings that are more likely to be hostile. 2008064 and 2008065.