MS08-067 Gone To Worm

A worm has been spotted in the wild that is exploiting the MS08-067 vulnerability for which Microsoft released an out-of-band update for yesterday. We urge you to update as soon as possible as there is now working code in the wild. All servers should be patched, especially external ones. If for some reason you have RPC exposed to the world, a very close look should be given to those systems as they may have already been compromised. Internal systems should be patched as soon as possible since this is now a worm, a worm that could be brought in through laptops or other means of access.
A little info on the worm itself, it has been dubbed Gimmiv.A. When the worm executes it will drop three files, winbase.dll, basesvc.dll and syicon.dll into the %System%\Wbem\basesvc.dll. It will then install a service named BaseSvc which will then force svchost.exe to load the trojan dlls. The trojan will collect data from the machine, including passwords, and send them to a remote machine.

Critical Windows Update

Today Microsoft is rolling out an unscheduled update. This vulnerability is critical and there are reports that it has been exploited by malware for the last few weeks. The most vulnerable systems are Windows 2000, Windows XP and Windows 2003. On these systems it is possible exploit the system without authentication. On Windows Vista and Windows Server 2008, the exploit requires authentiation to run, it would likely also lead to a Denial of Service condition due to the use of DEP and ASLR in these versions of Windows.

This is the first vulnerability that can be easily wormable in the past few years. It is very important that this update be tested and rolled out by your organization as soon as possible to prevent exploitation. The Security Bulletin can be found here.


I’d like to go over some of the tools that we mention on the blog. The first one I’d like to take a look at is OSSEC. You may have heard of us talking about it before, we mentioned it a few days ago. That was in relation to HoneyPoints and using OSSEC as another layer of your “defense in depth” strategy. I’ll explain what it does, and how it can help you.

First of all, what is OSSEC? OSSEC is an acronym for “Open Source Host-based Intrusion Detection System”. From the name you can see it’s a Host-based Intrusion Detection System (HIDS). As a HIDS it has the capability to do log analysis, integrity checking, Windows registry monitoring (and event log), rootkit detection, real-time alerting and active response against malicious hosts. It can be run locally, or as a centralized system with agents running on hosts.

So how does OSSEC relate to HoneyPoint? Well they both watch different things, and complement each other. While HoneyPoints are psuedo services and capture traffic from them, OSSEC watches real services for probes and compromises. It does this largely by a system of log analysis. I won’t go into it deeply, but the log analysis rules are very configurable, chainable, and fairly easy to write for anyone that knows regex and has a familiarity of basic scripting language.

With OSSEC’s active monitoring, it’s possible for the host to dynamically write firewall rules to block that host. Similar to HoneyPoints Plugin interface, with which you could also use to write a plugin to do that. You could even use OSSEC to watch your HoneyPoint Console syslogs and integrate HoneyPoint Console triggers with its own active response rules, to centralize blocking of hosts between HPSS and OSSEC.

As you can see, OSSEC can work quite nicely with HoneyPoint Security Server as part of a “defense in depth” strategy. There’s no single tool to “rule them all”, so to speak, so it’s important to watch from multiple perspectives! If you want to check out OSSEC, you can visit

WordPress Exploit

An exploit to hijack the administrator account has been released for WordPress. The exploit takes advantage of some flaws in both MySQL and the web application, and this vulnerability most likely affects other web applications. More information on the MySQL vulnerability can be found here. As such, we have disabled registration temporarily for this site, until WordPress has mitigated the vulnerability. We recommend that you do the same, for WordPress or anyother web application affected by this issue.

CERT Warns of SSH Attacks

Earlier this week US-CERT warned of attacks using stolen SSH keys. After access is gained to the machine, a rootkit (Phalanx2), is installed on the system. Once installed, the rootkit steals other keys from the system and sends them back to the attacker, allowing them to compromise other machines. The rootkit seems to create a directory, existance of the directory /etc/khubd.p2/ indicates a compromise. However, it should not be assumed because it’s not there that the machine is not compromised. It’s believed at least some of these machines were compromised by the Debian SSL Key bug from the summer.

US-CERT has provided some mitigation strategies to ensure that machines do not get compromised by this exploit. First, identify and examine systems where SSH keys are used as part of automated process. Any instance where keys are used without passphrases, a  passphrase should be used to reduce the risk of a compromise. Finally, ensure that internet facing systems are fully patched.

Bank Data Sold On Ebay

A few banks had a wake up surprise when they found that one of their servers had been sold on Ebay. The system was bought for about $150, and was acquired by an IT manager. Upon booting the machine he noticed that there were several cd ISOs on the disk array in the server. In each of these cd images were backups of customer credit card applications. The banks were notified by the buyer, but it is unknown where the machine was between the time it was at the bank and when it showed up on Ebay. I’m sure the banks are scrambling to implement encryption on their backups as we speak.

Trend Micro Auth Bypass

An issue has been discovered some Trend Micro products, which can be exploited by attackers to bypass authentication. Version affected are OfficeScan 7.0, 7.3, and 8.0; Worry-Free Business Security 5.0; and Trend Micro Client/Server/Messaging Suite versions 3.5, and 3.6. Currently there are fixes for OfficeScan 8.0, and Worry-Free Business Security 5.0. It’s expected that patches for other versions will follow shortly.

Internet Explorer Security Zone Bypass

It’s possible to bypass the security zones within Internet Explorer. An issue has been identified in the way that security policies are applied when a URI is specified in the UNC form: \\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE’. When a URI like this is accessed remotely, Internet Explorer does not apply the correct Security Zone Permissions. This issue affects Internet Explorer 5,6 and 7 under all versions of Windows.
Microsoft has released a work around for this issue. The work around can be found in Microsoft’s techbulletin for this issue.

SPAM Backscatter

We are getting many reports of mail servers under heavy load because of SPAM backscatter. This happens when a spammer uses a company’s email address to forge the “FROM” field in the email. When mail servers get these spam emails and reject them because they are sent to a user that doesn’t exist, the SPAM targeted mail server will send a bounce back message to the forged “FROM” field. Now as you might imagine, when a spammer sends out over a million emails it’s very likely that many of those will go to addresses that no longer exist, and innocent company in the “FROM” field gets blasted by thousands of bounce backs.

What can we do about this though? Unfortunately if you’re the one getting the backscatter, not a whole lot. However, you can help to prevent backscatter for others. We recommend that email servers be configured to REJECT bad email during the initial transaction instead of accepting it and creating a bounce back reply. Also consider not using “out of office” email replies. This also creates backscatter when the vacationed user receives spam. This could also land you on a spam blacklist, if whoever got the backscatter happened to report your mail server as a backscatter sender.