Astalavista Group Security Newsletter - Issue 09 - 2004

|------------------------------------------|
|- Astalavista Group Security Newsletter -|

|- Issue 9 01 October 2004
-|
|- http://www.astalavista.com
-|
|- security@astalavista.net
-|
|------------------------------------------|
- Table of contents [01] Introduction
[02] Security News
- Image virus spreads via chat
- U.N warns of nuclear cyber attack risk
- Sasser Netsky virus coder lands job with security firm
- Feds invite comment on Internet wiretaps
- Phising tab to reach $500 million
[03] Astalavista Recommends
- Tx - The Smallest VC++ Coded Universal Windows Backdoor
- Fwknop - Firewall Knock Operator
- Strike Out
- Network Wiretapping and the Government's Role
- Mail Non-delivery Notice Attacks
[04] Site of the month - Thawte Crypto Challenge
[05] Tool of the month - Spybot - Search&Destroy
[06] Paper of the month - The Phishing Guide
[07] Free Security Consultation
- Our university has recently discovered that..
- I have recently purchased "vendor's software" to protect against spywa
re..
- Like almost everyone, I'm a Windows user, how come..
[08] Enterprise Security Issues
- Overview of Web Filtering
[09] Home Users Security Issues
- Getting the best search results
[10] Meet the Security Scene
- Interview with Candid Wuest - a security researcher
[11] Security Sites Review
- Knowngoods.org
- GoogleDorks
- OpenWall
- WorldWideWardrive.org
- PerlMonks.org
[12] Astalavista needs YOU!
[13] Astalavista.net Advanced Member Portal
[14] Astalavista Feedback Contest - 2004
[15] Final Words
01. Introduction
-----------Dear Subscribers,
Issue 9 of Astalavista's Security Newsletter is out! In this issue you're going
to
read a small overview of Web Filtering, learn more about how to use Google's adv
anced
searching options, and you will be able to enjoy an interview with a security
researcher. You will also have the chance to participate in Astalavista's Feedba
ck
Contest and win an Astalavista.net membership.
Enjoy your time!

Astalavista's Security Newsletter is mirrored at:
http://packetstormsecurity.org/groups/astalavista/
If you want to know more about Astalavista.com, visit the following URL:
http://astalavista.com/index.php?page=55
Previous Issues of Astalavista's Security Newsletter can be found at:
http://astalavista.com/index.php?section=newsletter
Editor - Dancho Danchev
dancho@astalavista.net
Proofreader - Yordanka Ilieva
danny@astalavista.net
------Thawte Crypto Challenge - Crypto Vl - Be the first to crack the code and win!
http://ad.doubleclick.net/clk;10740215;10262135;j
------02. Security News
------------The Security World is a complex one. Every day a new vulnerability is found,
new tools are released, new measures are made up and implemented etc.
In such a sophisticated Scene we have decided to provide you with the most
striking and up-to-date Security News during the month, a centralized
section that contains our personal comments on the issue discussed.
Your comments and suggestions about this section are welcome at
security@astalavista.net
------------[ IMAGE VIRUS SPREADS VIA CHAT ]
A virus that exploits the recently discovered JPEG vulnerability has been discov
ered
spreading over America Online's instant-messaging program.
More information can be found at:
http://news.zdnet.com/2100-1009_22-5390463.html
http://www.techworld.com/opsys/news/index.cfm?NewsID=2236
http://www.webpronews.com/it/security/wpn-23-20040930WindowsJPEGVulnerabilityPro
tection.html
http://www.us-cert.gov/cas/techalerts/TA04-260A.html
http://www.internetweek.com/allStories/showArticle.jhtml?articleID=48800179
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
Astalavista's comments:
In a time when users are still unaware of the current worms' spreading technique
s,
the worst case malware scenario, namely a real JPEG vulnerability, is in the wil
d,
which against opens the gap between Microsoft providing updates and end users la
ck
of awareness on the topic.
[ U.N WARNS OF NUCLEAR CYBER ATTACK RISK ]
The United Nations' nuclear watchdog agency warned Friday of growing concern abo
ut
cyber attacks against nuclear facilities.
http://securityfocus.com/news/9592
Astalavista's comment:
We have previously seen such attempts, and such a scenario should be well taken
care
of, considering the obvious interest:
http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=nuclear%2Bhacker%2Bsecurity
[ SASSER AUTHOR GETS ITSECURITY JOB ]
Sven Jaschan,a self-confessed creator of the destructive NetSky and Sasser worms
,
has been hired by the German security company Securepoint. He's been offered
work as a trainee software developer working on security products, such as fire
walls,
even though he may go to prison for creating one of the most destructive compute
r
viruses to date. Jaschan was charged this month with computer sabotage. No trial
date has been set.
http://www.theregister.co.uk/2004/09/20/sasser_kiddo_offered_job/
Unbelieavable.On one hand we see Microsoft and the law enforcement agencies tryi
ng
to get those authors scared with huge rewards and prosecutions, while on the oth
er
hand, we see local companies "admiring" the "know-how" of malware creators with
the
idea to build better products. Who else sees the big picture here?
[ FEDS INVITE COMMENTS ON INTERNET WIRETAPS ]
The Federal Communications Commission (FCC) on Thursday launched a public commen
t
period on its plan to compel Internet broadband and VoIP providers to open
their networks up to easy surveillance by law enforcement agencies.
http://securityfocus.com/news/9582
It's time to see if an E-nation is as privacy-conscious as it should be.
http://gullfoss2.fcc.gov/cgi-bin/websql/prod/ecfs/upload_v2.hts?ws_mode=proc_nam
e&proc_id=04-295
[ PHISHING TAB TO REACH $500 MILLION ]
A new study weighs in with estimates as to how much online fraud, or phishing, i
s
costing consumers.Seventy-six percent of consumers are experiencing an increase
in spoofing
and phishing incidents, researchers found, and 35 percent said they receive fake
e-mails at least
once a week.
http://www.cio-today.com/story.xhtml?story_title=Phishing_Tab_To_Reach______Mill
ion&story_id=27279
Recently, we've seen an enormous activity on the phishing scene given the fact t
hat
a large number of companies had the chance to build trust-based relations with t
heir online customers, not
secured ones.
03. Astalavista Recommends
---------------------This section is unique with its idea and the information included within. Its
purpose is to provide you with direct links to various white papers covering
many aspects of Information Security. These white papers are defined as a "must
read" for everyone interested in deepening his/her knowledge in the Security fie
ld.
The section will keep on growing with every new issue. Your comments and suggest
ions
about the section are welcome at security@astalavista.net
" TX - THE SMALLEST VC++ CODED UNIVERSAL WINDOWS BACKDOOR "
The Smallest VC++ Coded Universal Windows Backdoor for all versions of Windows
NT/2K/XP/2003 with any service pack.B- ut not for Windows 98/ME! since Microsoft
stopped the sup- port for
them, I can't code for an unsupport Operating system. A Tini, Small, Petite ap
p that listens on a
fixed port and creates a command shell when it receives a conne- ction. Default
port of listening
is : 8080
http://www.astalavista.com/?section=dir&cmd=file&id=2872
" FWKNOP - FIREWALL KNOCK OPERATOR "
fwknop implements network access controls (via iptables) based on a flexible por
t
knocking mini-language, but with a twist; it combines port knocking and passive
operating
system fingerprinting to make it possible to do things like only allow, say, Lin
ux-2.4/2.6 systems to
connect to your SSH daemon.
" STRIKE OUT "
A beta version of the tool to automatically detect and index change tracking
information in a collection of Word documents published on a website (or stored
on a disk, mounted
via SMB/NFS, etc) is now available. This tool, written and used by Michal Zalews
ki, allowed him to
recover very interesting information off the Word file given out by Microsoft, a
s can be seen at:
http://lcamtuf.coredump.cx/strikeout/
" NETWORK WIRETAPPING AND THE GOVERNMENT'S ROLE "
The Internet is becoming a commonplace technology that everyone relies upon.
Consequently, we must also look at the policy concerns that the new medium thrus
ts upon us. This document
addresses the legal issues surrounding digital wiretaps. It is targeted at a com
puter-literateaudience. I briefly
explain the technical issues involved and explore their ramifications focusing o
n the role the government has played.
" MAIL NON-DELIVERY NOTICE ATTACKS "
Analysis of e-mail non-delivery receipt handling by live Internet bound e-mail
servers has revealed a common implementation fault that could form the basis of
a new range of
DoS attacks. Our research in the field of email delivery revealed that mail serv
ers may respond
to mail delivery failure with as many non-delivery reports as there are undelive
rable Cc:
and Bcc: addresses contained in the original e-mail.
04. Site of the month
-----------------Thawte Crypto Challenge - Crypto Vl - Be the first to crack the code and win!
05. Tool of the month
-----------------Spybot - Search&Destroy
Spybot - Search&Destroy is a freeware anti-spyware/anti-adware application that
has
a large database of malicious
programs, hijackers etc. You're strongly recommended to use it, as it will

definitely give you excellent results.
http://www.astalavista.com/?section=dir&act=dnd&id=2548
06. Paper of the month
------------------The Phishing Guide - Understanding and Preventing Phishing Attacks
A document discussing and giving a detailed overview of various phishing attacks
,
intended both for corporate and home readers.
http://www.astalavista.com/?section=dir&act=dnd&id=2886
07. Free Security Consultation
-------------------------Have you ever had a Security related question but you weren't sure where to
direct it to? This is what the "Free Security Consultation" section was created
for.
Due to the high number of Security-related e-mails we keep getting on a
daily basis, we have decided to initiate a service, free of charge. Whenever you
have a Security related question, you are advised to direct it to us, and within
48 hours
you will receive a qualified response from one of our Security experts.
The questions we consider most interesting and useful will be published at
the section. Neither your e-mail, nor your name will be present anywhere.
Direct all of your Security questions to security@astalavista.net
Thanks a lot for your interest in this free security service, we are doing our b
est
to respond as soon as possible and provide you with an accurate answer to your q
uestions.
--------Question: Hi there, thanks for the service! Our university has recently discover
ed
that a large number of our desktop computers are infected with spyware. Since we
don't have a centralized methodology to deal with the issue, we require
users to run Ad Aware and various other applications ;also we try to block certa
in
sites at the server level. Any recommendations on how to deal with the issue wil
l be appreciated?
--------Answer: Users are not to be trusted when it comes to regularly updating software
.
What you should have in place is more filtering at the server level in terms of
hosts known to be affiliated with spyware vendors, as well as apply general
protection practices for their browsers, which ,I'm almost 100% sure, are Intern
et
Explorer ones, which pretty much makes all other efforts pointless. If I were yo
u,
I would undertake an initiative to educate users on how insecure IE is when it c
omes to
spyware, and even debate on enforcing the use of another more secure browser,
anything else besides IE.

--------Question: I have recently purchased "vendor's software" to protect against spywa
re,
it's considered to be one of the best among what I've read on major security sit
es. In the
end I got infected with something that bypasses my firewall and my anti-spyware
software,
can I rely on anything at all?
--------Answer: No software can guarantee you 100% protection. Just think for a while ho
w
you might be getting infected, so that you wouldn't do it again. The majority of
visitors
get infected through visiting untrusted, cracks or porn related web sites, or ev
en by following
"hot" links offering "hot and free" stuff for their visitors. If it wasn't the s
oftware you're
using now, you would be probably infected with many more pests.
--------Question: Like almost everyone I'm a Windows user, how come Windows is so insecu
re,
it's software buggy and the whole world is still using it? Yes, it's dominating,
but I
really don't like the thought of having to learn how to work with Linux to stay
secure.
--------Answer: Each OS has its advantages and dissanvantages, so Linux wouln't save you
from getting hacked - things don't work on the basis of the OS although the OS i
tself
is an important issue when building with security in mind. Microsoft are put und
er
pressure from the whole world in order to provide vulnerabilities-free software,
but
so are to provide improvements and new software. Anyway, things will change and
if
they don't establish certain social responsibility for the insecurity of their
software, an alternative OS of solution will take some of their market share, bu
t
don't forget that we still live in a Microsoft dominated world.
08. Enterprise Security Issues
-------------------------In today's world of high speed communications, of companies completely
relying on the Internet for conducting business and increasing profitability, w
e have
decided that there should be a special section for corporate security, where
advanced and highly interesting topics will be discussed in order to provide
that audience with what they are looking for - knowledge!
- Overview of Web Filtering What are the benefits of web filtering?
Web filtering will ensure that potential malicious web sites will not be accessi
ble
by anyone in the organization, thus protecting the internal assets and the sensi
tive
information contained within. Web filtering is useful when enforcing a company's
security policy;
namely that visiting online gambling or hacking related web sites is forbidden f
or example.
Web filters rely on IP blocking and keywords blocking. Although the second metho
d is
AI based, it doesn't yet provide perfect results, although a combination of both
will give remarkable results.
What are the disadvanates of web filtering?
In the majority of cases users spend a lot of time trying to bypass the restrict
ions
through using web proxies, online translators etc. thus wasting productivity in
the
process. The ones creating the filtering rules should also be aware that blockin
g popular
and heavily visited sites would result in your employees' anger. Make sure you h
ave clear rules and logical
understanding of why a certain site is considered forbidden.
What is the solution?
Educating the end users on various threats possed by their Internet usage at wor
k,
or establishing a "you're monitored" policy with the idea to restrict their(defi
ned by you)
forbidden activities at work. Mainly emphasize on the fact how expensive it is
for you to keep the company's current level of security, compared to
their insecure behaviour while using the company's systems.
09. Home Users' Security Issues
-------------------------Due to the high number of e-mails we keep getting from novice users, we have
decided that it would be a very good idea to provide them with their very
special section, discussing various aspects of Information Security in an
easily understandable way, while, on the other hand, improve their current level
of
knowledge.
If you have questions or recommendations for the section, direct
them to security@astalavista.net
- Getting the best search results Many of you are probably frustrated while a search engine or the majority of res
ults
you get are commercial ones. But why commercial pages appear whenever you're sea
rching?
Just because these sites have positioned themselves so that simple search techni
ques
which represent the majority of searches today will attract larger audience.
Let's assume that you use Google, probably because it's still the best and most
popular search engine our there.
We have decided to provide you with various resources that will help you get the
best results ever:

Google's Advanced Search Tips - http://www.google.com/help/refinesearch.html
Advanced Search Tips - http://www.seorank.com/google-advanced-search-tips.htm
Tips for using Google - http://www.searchforancestors.com/archives/google.html
Google Tips and Tricks - http://astalavista.com/index.php?section=dir&cmd=file&i
d=2546
10. Meet the Security Scene
----------------------In this section you are going to meet famous people, security experts and
all personalities who in some way contribute to the growth of the community.
We hope that you will enjoy these interviews and that you will learn a great dea
l of
useful information through this section. In this issue we have interviewed Candi
d
Wuest, an active participant in the security industry.
Your comments are welcome at security@astalavista.net
-----------------------------------------------Interview with Candid Wuest
Astalavista: Candid, would you, please, introduce yourself to our readers and te
ll us
more about your background in the security industry?
Candid: Well, my name is Candid and I have been working in the computer security
field for several years now, performing different duties for different
companies. For example, IBM Security Research and Symantec to name the
most known ones. I got a master degree in computer science but, in my opinion, i
n this
business curiosity is the main thing that matters.
Astalavista: What do you think has had a major impact on the popularity of malwa
re
in recent years? Is it the easiness of coding a worm/trojan or the fact that the
authors don't get caught?
Candid: Why do people code worms? Because they can?
The first point I would like to mention here is the growth of the Internet as a
whole
in the last years. More people getting a system and more people getting
broadband access means more people are exposed to the risks. You may say
the fish tank has grown over the years; therefore it is clear that there
is now also more space for sharks in it.
I think the few people which where caught have scared some and stopped
them from doing the same, but the media hype they have caused has for sure
attracted new ones to get started with the whole idea. So this might
balance out even and these were mostly smaller fishes, which didn t take
enough precautions.
Another point to mention is that it is really easy to download a source
code and create your own malware and it is getting easier every day.
There are many bulletin boards out there with fast growing communities
helping each other in developing new methods for malware or simply
sharing their newest creations.
When recalling the last hundreds of worms we saw in the wild for the last
time, most of them were similar and much alike. Nearly no direct
destructive payload and not much innovation in regards to the used
methods. Just a mass mailer here or an IRC bot there.
That s why I think the motivation is a mixture of the easiness of doing
so and the mental kick suggested from the media, which pushes the bad
underground hacker image. (Even though the media uses the term hacker
seldom correctly in its original meaning.)
This seems to motivate many to code malware: just because they can.
In the future money might become a new motivation for malware writers,
when industrial parties get involved in it.
Astalavista: Where's the gap between worms in the wild and the large number of
infected computers? Who has more responsiblity, the system administrators
capable of stopping the threat at the server level, or the large number of
people who don't know how to protect themsvels properly?
Candid: As we all should know 100% security will never be reached, regardless of
what the sysadmin and the end user do. A good example for this is the
recent issue with the JPEG and TIFF malware, which sneaked through many
filters.
In my opinion the sysadmins have the easier task, as they can enforce
their restriction; often it s just a question of having the time to do it
properly. Don t get me wrong here. I know the whole patching issue may be
quite a pain sometimes. Of course, they have all the users and the
management complaining if the restrictions are (too) tight but that s
how it works, right :- )
Therefore I think often it is the end user who has not enough
protection or simply does not care enough about it. Many users still
think that no one will aim at them, as they are not an interesting
target, but DDoS attacks for example do exactly target such a user. Of
course, many end users don t have the possibilities of a sysadmin. In
general, it comes down to an AntiVirus and a personal firewall
application, which still leaves enough space for intruders to slip through.
So, as always, it should be a combination of an ISP, a sysadmin and an end user
working together to protect themselves.
Astalavista: We've recently seen a DDoS mafia, something that is happening even
now.
What is the most appropriate solution to fight these? Do you think this
concept is going to evolve in time?
Candid: DDoS attacks are quite hard to counter if they are performed in a clever
way. I have seen concepts for which I haven t seen a working solution yet.
Some can be countered by load balancing and traffic shaping or by simply
changing the IP address if it was hard coded.
More promising would be if you could prevent the DDoS nets from being
created, but this goes back to question number three.
Astalavista: Have you seen malware used for e-spionage, and do you think it's th
e
next trend in the field?
Candid: This is nothing new; malware has been used for industrial e-spionage for
years. Usually, it just isn't that well known as those attacks might
never get noticed or admitted in public. I have seen plenty of
such attacks over the last years. This for sure will increase in time as
more business relevant data gets stored in vulnerable environments. In
some sort you could even call phishing an art of espionage. But I think
the next big increase will be in the adware & spyware filed where
malware authors will start getting hired to write those applications as
it already happens today. Or are you sure that your favourite
application is not sending an encoded DNS request back somewhere?
11. Security Sites Review
--------------------The idea of this section is to provide you with reviews of various highly intere
sting
and useful security related web sites. Before we recommend a site, we make sure
that
it provides its visitors with quality and a unique content.
http://knowngoods.org/
The web interface is fairly straight forward, point your favorite web browser he
re,
choose an OS and enter an application name, or full path to the file.
http://johnny.ihackstuff.com/index.php?module=prodreviews
An inept or foolish person as revealed by Google. A recommended page.
http://openwall.com/
An open-source information security software.
http://worldwidewardrive.org/
The WorldWide WarDrive is an effort by security professionals and hobbyists to
generate awareness of the need by individual users and companies to secure their
access points
http://perlmonks.org/
For all the Perl geeks out there, one of the best community sites.
12. Astalavista needs YOU!
--------------------We are looking for authors that would be interested in writing security related
articles for our newsletter, for people's ideas that we will turn into reality w
ith
their help and for anyone who thinks he/she could contribute to Astalavista
in any way. Below we have summarized various issues that might concern you.
- Write for Astalavista What topics can I write about?
You are encouraged to write on anything related to Security:
General Security
Security Basics
Windows Security
Linux Security
IDS (Intrusion Detection Systems)
Malicious Code
Enterprise Security
Penetration Testing
Wireless Security
Secure programming
What do I get?
Astalavista.com gets more than 200 000 unique visits every day, our Newsletter h
as
more than 22,000 subscribers, so you can imagine what the exposure of your artic
le and you
will be, impressive, isn't it!
We will make your work and you popular among the community!
What are the rules?
Your article has to be UNIQUE and written especially for Astalavista, we are not
interested in republishing articles that have already been distributed somewhere
else.
Where can I see a sample of a contributed article?
http://www.astalavista.com/media/files/malware.txt
Where and how should I send my article?
Direct your articles to dancho@astalavista.net and include a link to your articl
e.
Once we take a look at it and decide whether is it qualified enough to be publis
hed,
we will contact you within several days, please be patient.
Thanks a lot all of you, our future contributors!
13. Astalavista.net Advanced Member Portal Promotion
------------------------------------------------Astalavista.net is a world known and highly respected Security Portal offering
an enormous database of very well-sorted and categorized Information Security
resources, files, tools, white papers, e-books and many more. At your disposal
are also thousands of working proxies, wargames servers where all the members
try their skills and most importantly - the daily updates of the portal.
- Over 3.5 GByte of Security Related data, daily updates and always working
links.
- Access to thousands of anonymous proxies from all over the world, daily update
s
- Security Forums Community where thousands of individuals are ready to share
their knowledge and answer your questions, replies are always received no matter
of the question asked.
- Several WarGames servers waiting to be hacked, information between those
interested in this activity is shared through the forums or via personal
messages, a growing archive of white papers containing info on previous
hacks of these servers is available as well.
http://www.astalavista.net/
The Advanced Security Member Portal

------Thawte Crypto Challenge - Crypto Vl - Be the first to crack the code and win!
------14. Astalavista Feedback Contest - 2004
----------------------------------Don't have an Astalavista.net membership? Are you a fan of Astalavista.com?
topic -"Astalavista.com - The beginning, the future and me in between
description - write your own story, how you fist knoew about Astalavista.com, ho
w
long you have been visiting the site, how it helped you improve your security,
or
your organization's security, what makes you visit the site over and over again,
when we evolved and what has changed. Share a funny or a serious situation relat
ed somehow
to Astalavista.com - remember what it was when you first visited it and what it
turned into. What do we have to improve, how do you see the page in 5 years from
now on,
what are our strong and weak points, but most of all, share a story that's worth
telling!
minimum - 5 pages
maximum - up to you, the more comprehensive and original the feedback, the highe
r
the chance to win the contest
deadline - 1st of November, 2004
prize - the most original and inspiring stories will be rewarded with a lifetime
Astalavista.net - Advanced Security Member Portal membership
More information is available at:
http://www.astalavista.com/index.php?page=106
15. Final Words
----------Dear Subscribers,
Astalavista's Feedback Contest is now live at the site, we'll be expecting your
comments and impressions about the site.
Hope you have enjoyed Issue 9, watch our for Issue 10 with a lot of new content.
Editor - Dancho Danchev
dancho@astalavista.net
Proofreader - Yordanka Ilieva
danny@astalavista.net

Astalavista Group Security Newsletter - Issue 09 - 2004

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Astalavista Group Security Newsletter - Issue 09 - 2004

Uploaded by

Copyright:

Available Formats

|------------------------------------------|

|- Astalavista Group Security Newsletter -|

Enjoy your time!

programs, hijackers etc. You're strongly recommended to use it, as it will

anything else besides IE.

best results ever:

The Advanced Security Member Portal

You might also like