Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Infocon Yellow; Windows and Backup Exec exploits are out, where are the exploits, NIST drafts, Snort signatures

Published: 2005-08-12
Last Updated: 2005-08-13 01:51:19 UTC
by William Stearns (Version: 1)
0 comment(s)

Infocon: Yellow



Due to a number of very well working Windows exploits for this weeks patch
set, and the zero-day Veritas exploit, we decided to turn the infocon to yellow.

Advice: Use the weekend to patch ALL WINDOWS SYSTEMS. It may be worthwhile to
consider accelerated deployment of the patches even to critical systems if the
weekend is slow anyway. Backup Exec should be firewalled or disabled at this point.

Note: Consider unprotected internet facing machines infected at this point if they do not have this weeks patches applied. Patch and handle them with extra care.

Windows and Backup Exec exploits are out



In case you're waiting to see whether it's worth updating either
Windows or Veritas' Backup Exec, now's the time to do so. Live exploits
are out for both.

Specifically, MS05-039 appears to have 3 live exploits out for
it already, and Backup Exec has at least one exploit out.

We've said it already, but it's worth repeating - get those
patches in soon...

Which exploits are really out?



We've gotten a number of questions from readers about the
exploits we've mentioned over the past few days in the diary. Some of
them are publicly known and easily Google-able. Others are ones that
we've found out about from trusted sources that have asked us to not
share the exploit itself.

Because our goal is to provide timely alerts to the security
community, we generally don't provide the exploit code itself. If it
truly is publicly visible, you'll find it in a few minutes without our
help. And if the exploit is still generally private, we don't want to
be the conduit that accelerates attacks - people with lots of hat colors
read this diary. *smile*

Thanks for understanding.

NIST drafts



NIST has provided
security documents: Creating a Patch and Vulnerability Management
Program, Secure DNS Deployment Guide, Guide to Malware Incident
Prevention and Handling, Guide to Single-Organization IT Exercises,
Guide to Computer and Network Data Analysis: Applying Forensic
Techniques to Incident Response, and Codes for the Identification of
Federal and Federally-Assisted Organizations.

Preliminary Snort signatures for MS exploits



One reader was kind enough to forward some Snort signatures for
malware hitting the recently announced vulnerabilities. Credit for
these signatures goes to Blake Harstein at Demarc.

To not have the lines go on too long, the pcre's have been split
over multiple lines; everything from pcre: to /i"; needs to be
reassembled into one object with no spaces.


#These rules are separated for compatibility with Snort 2.3.3 (>850
#characters per line), If you are using Snort >2.4.0 you can safely
#combine these into a single rule

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
EXPLOIT CLSID Pattern Matched"; flowbits:isnotset,CLSID_DETECTED;
flow:established,from_server;
pcre:"/CLSID\s*\:(?=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})/i";
flowbits:noalert; flowbits:set,CLSID_DETECTED; classtype:not-suspicious;
sid:2002174; rev:2;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
1)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-11D0-
BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-00A0C911CE86|33D9A761-
90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-
00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-
90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-
00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-
D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-
DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-
3B9B-419E-A3D6-5D28C0B0B50C/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002171; rev:2;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
2)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-11D1-B944-
00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-BEEE-4442-
804E-409D6C4515E9|3050F391-98B5-11CF-BB82-00AA00BDCE0B|8EE42293-C315-
11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-00AA0051FE20|510A4910-
7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-
00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-7F1C-11CE-
BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-00AA0051FE20|D99F7670-7F1A-
11CE-BE57-00AA0051FE20/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002172; rev:2;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
3)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-11D0-BB4C-
00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-D367-11D1-
8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3|ECABB0BF-7F19-
11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-0000F875AE17|67DCC487-
AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-
000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-343A-11D0-
AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-00E0291F3959|CC7BFB43-F175-
11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002173; rev:2;)




-- Handler on Duty,

Keywords:
0 comment(s)
Diary Archives