Chris Mosby at myITforum.com

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Another round of DNS cache poisoning

(from handler Kyle Haugsness)

We are investigating another round of DNS cache poisoning. Reports have come in from some very large commercial organizations and they report using only Windows DNS servers that are secured against the attack or using Windows 2003. We are trying to identify whether this is a bug on Windows DNS servers. The symptoms of the current attack are as follows:

1. We still have not identified the trigger. If you know how people are being forced to the malicious DNS server (below), please let us know.

2. The malicious DNS server is 216.127.88.131. We are in the process of trying to get this IP address blackholed. In the meantime, the server is poisoning the entire .COM domain. It returns the following 3 IP addresses for any hostname lookup in .COM:

209.123.63.168 / 64.21.61.5 / 205.162.201.11


3. The 3 IP addresses above return a simple HTML page with the following embedded URLs. These servers are trying to drop malware on your machine, so DO NOT browse to them:

vparivalka .org /G7 /anticheatsys.php?id=36381

find-it .web-search .la

Some good news for a change.

News4Jax.com - News - Volusia County Girl Located; Alert Cancelled

Volusia County Girl Located; Alert Cancelled

POSTED: 8:59 pm EST March 28, 2005

PORT ORANGE, Fla. -- Authorities said the 12-year-old girl who disappeared Sunday has been located and the statewide alert is canceled.

Police in Port Orange said Nicole Horton was reported missing Sunday.

The Florida Department of Law Enforcement provided no information, other than the girl was found and the case has been resolved.

Police had said Nicole was likely abducted by two men who were in a Jeep Cherokee.

Port Orange is south of Daytona Beach in Volusia County.

CNN.com - Florida agency issues alert for missing girl, 12 - Mar 28, 2005

Florida agency issues alert for missing girl, 12

Monday, March 28, 2005 Posted: 12:01 PM EST (1701 GMT)

Nicole Horton was last reported seen in Port Orange, south of Daytona Beach.

(CNN) -- Florida officials issued an alert Monday for a 12-year-old girl, a day after she was last reported seen in Port Orange, south of Daytona Beach.

Nicole Horton was wearing a pink oversize shirt and black pants "and is believed to be in danger," the Florida Department of Law Enforcement said on its Missing Persons Web site.

Nicole is 5 feet 4 and weighs 120 pounds. She has brown hair and brown eyes.

The child likely was abducted by two men about 30 years old, the posting said.

One was described as 5 feet 8, blond, and wearing a white T-shirt and black shorts.

The other man was described as 5 feet 2 with black hair, and wearing a red shirt, black leather jacket and jean shorts.

They may be traveling in an old, white-with-black-trim Jeep Cherokee that is missing the right front hubcap, the posting said.

The agency urged anyone with information about the girl to call the Port Orange Police Department at (386) 756-7400.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

DNS Cache Poisoning Again

(from ISC handler Kyle Haugsness)

We have received information that another DNS cache poisoning attack has been launched. This time, it appears that the motivation is a little different. The site being re-directed to is a website that sells generic versions of popular prescription drugs. There are numerous references on the Internet to this site as being spammers and the like. We do not see any spyware/adware/malware being served from the server.

Before going any further, let's talk about the DNS server on Windows NT 4 and 2000 (not 2003). By default, the DNS server does NOT protect you against DNS cache poisoning. If you run a resolving nameserver on Windows NT 4 or Windows 2000, you are HIGHLY ADVISED to set the follow the instructions here to protect yourself from these attacks:

http://support.microsoft.com/default.aspx?scid=kb;en-us;241352

Here is how the attack works. First, there needs to be a trigger that forces the victim site's DNS server to query the evil DNS server. There are several ways to accomplish this. A couple of easy methods are e-mail to a non-existant user (which will generate an NDR to the source domain), spam e-mail with an external image, banner ads served from another site, or perhaps triggering it from a bot network or installed base of spyware.

Once the trigger executes, the victim's site DNS server queries the evil DNS server. The attacker includes extra information in the DNS reply packet. In this particular attack and the one from earlier in March, the reply packets contain root entries for the entire .COM domain. If your DNS server is not configured properly, then it will accept the new entries for .COM and delete the proper entries for the Verisign servers. Once this has occurred, any future queries that your DNS server makes for .COM addresses will go to the malicious DNS server. The server can give you any address it wants. In this attack, any hostname that you request is returned with a single IP address.

The gory details are as follows... The site users are being re-directed to displays a page advertising megapowerpills.com. Interesting, the real IP address for www.megapowerpills.com is different and seems to only host an "under construction" image. The malicious DNS servers have the IP addresses of 222.47.183.18 and 222.47.122.203. There are numerous domain names and nameservers that point to these IP addresses. Here are some of the domain names pointing to the malicious DNS servers:

baronpill.com
bizwebb.us
cbarricadepill.com
cflabbergastgood.com
cnd-dns.us
disc0unt.us
ezcliq.us
m-dns.us
medauditory.com
medverdantgood.com
medverdigrisgood.com
medverdictgood.com
outfacegood.com
outregood.com
prostrategood.com
ururu.us

Scott Fendley
Handler on Duty

OK, I promised myself that I wasn’t going to say another word, but I can’t help it.

Rod makes some valid points in his response to my post, but I would rather have a secure browser no matter what it took.  No offense to Rod (I love you too big guy, in a purely platonic way of course), but I have never thought that the Microsoft way is the only way to go about doing things.

Richard and JD have made some great points in their posts as well, and they have pretty much covered the issue in my opinion.  It does seem that browsers are like religion these days, everyone thinks there’s is the best.

The only thing else I wanted to add is that both Richard and JD mentioned in their posts that they wished Firefox opened new windows in a tab instead of a new window.  All they need to do this is the Tabbrowser Preferences extension, and they configure Firefox to do just that. 

OK that is it, I am not saying another word.  I still want to get invited to all the cool parties at MMS, if I haven’t already been blacklisted. :-)

Blogger’s Note: The comments, observations, and opinions expressed above are my own and do not necessarily reflect those of any other MyITforum blogger.

I talked to my Dad at lunch time today, and it seems that they are talking about letting him out of the hospital today.  He sounded pretty good except for some coughing, but he said he felt a lot better. He had a couple of spikes in temperature over night, but so far none since then.  Things seem to be looking up.

The doctors figured out that Dad did not have pneumonia, but apparently they don’t know for sure what he did have.  They are thinking it was severe flu, and\or maybe chronic bronchitis (seems like he has bouts like this about this time every year, just not this severe). Tests are still pending on that.  Really instills me with confidence about the doctors, let me tell you.

No matter what Dad did have, he really is doing better, and that is all that matters.

I would like to thank everyone that sent me e-mails of support, and everyone else that was pulling for Dad, it was greatly appreciated.

This is truly a great community we have here, isn’t it? :-)

Unlike other bloggers around here, I like Firefox and think it is better than IE in more ways than one.  It is my opinion, so I won’t start a blog war trying to get everyone to switch.  That is what is great about this country, freedom of choice.

I noticed that in JD’s post on the Mozilla GIF Overflow that the ISS alert mentioned that any version below 1.0.2 is not vulnerable to this problem.  The new version is already available from here: http://download.mozilla.org/?product=firefox-1.0.2&os=win&lang=en-US

Here is a list of known Firefox vulnerabilities, and what to do about them: http://www.mozilla.org/projects/security/known-vulnerabilities.html

You will notice that the Firefox vulnerabilities that have cropped up in the last several weeks have already been addressed.  With all due respect to Microsoft, you do not see that kind of turn around from them when it comes to IE vulnerabilities.  You can see that for your self on Secunia’s IE page, there are vulnerabilities listed there from 2003.

Others have also mentioned having to download an entire browser install to fix its vulnerabilities.  If you think back to all the patches for IE 6 SP1 that have come out since its debut, I wonder how big would they be if you added them altogether?  Besides, I would rather have one download then ones numbering in the double digits.

OK, I have ranted enough.  Flame away.  :-)

Blogger’s Note: The comments, observations, and opinions expressed above are my own and do not necessarily reflect those of any other MyITforum blogger.

I have been in kind of a “funk” lately.  It seems I get this way every year right before MMS, lacking the motivation to get anything done but the bare minimum, and even a little bit restless. Maybe it is burn out from the day to day grind, or maybe I am just getting old.  It is silly really.  I have it pretty good all things said, and I don’t have anything to complain about. 

Sometimes life needs to smack you upside the head to set you back on track.

Right before I left for work yesterday, I got a call from my Sister in Missouri telling me that my Dad was in the ER.  I guess he started having trouble breathing, had the shakes, and got a high fever all of a sudden early that morning.  She called as they were just taking Dad to X-Ray, and they thought he had pneumonia, but the doctors weren’t sure yet.

Now pneumonia is a serious thing, but for my Dad, it is even more so.  He had another sudden bout of it about ten years ago, that he just about didn’t recover from due to misdiagnosis.  I will spare the gory details, but it took several months in and out of the hospital and four hours of surgery before he finally started getting better.  That period of time had to be some of the darkest times I had have ever been through, so you can imagine what kind of thoughts were racing through my head.

That call had a sobering effect on me.  All those little everyday things that were bugging me just seem so small and trivial now.  I actually felt ashamed for letting that kind of thing get to me, getting a harsh reminder that there are more important things in life.  The first of those is family.

I got to talk to my Dad at lunch yesterday and again last night.  He sounded pretty good, if not a little on the rough side.  He is still fighting a low grade fever, but the doctors have him on two antibiotics and are keeping an eye on things. They are confident that they caught it early this time. 

Mom is also keeping the doctors in line this time, whether they like or not.  My Sister works for the same hospital, so hopefully she can keep Mom from being kicked out.  :-)

Hang in there Pop, and get well soon.

CNN.com - Georgia issues alert in child abductions - Mar 22, 2005

Georgia issues alert in child abductions


JONESBORO, Georgia (AP) -- A statewide alert was issued for a man who police say assaulted his ex-girlfriend in her home early Tuesday, critically wounded her father and then abducted her two small children.

The man was identified by authorities as Terrance McDowell, the father of one of the abducted children.

McDowell, 27, of Riverdale, Georgia, went to the 20-year-old woman's home in Conley at 3 a.m., forcing his way in with a gun, Clayton County Police Capt. Tim Robinson said.

McDowell assaulted the woman and shot her 64-year-old father in the face and chest before fleeing in her car with the two children, Robinson said.

An alert, called a Levi's Alert in Georgia, was issued for 5-year-old Jaquan Wright and his 4-year-old sister, Faith McDowell. Terrance McDowell is Faith's father, authorities said.

The woman's father was in critical condition at Grady Memorial Hospital in Atlanta, police said.

F-Secure : News from the Lab

Three new Symbian trojans in one day

Posted by Jarno @ 13:52 GMT

Today we added descriptions for three new Symbian trojans found late monday. Drever.B, Drever.C and Skulls.F.

The Drever.B is a simplified version of Drever.A that attacks only Simworks Anti-Virus, it is likely that Drever.B is actually earlier case than Drever.A, but was found only later.

The Skulls.F is still under analysis, it is detected with generic detection from December 15th 2004, so it's a minor case.

The Drever.C is interesting case as in addition of attacking Kaspersky and Simworks Symbian Anti-Viruses, it also attacks F-Secure Mobile Anti-Virus.

Drever.C tries to damage the bootloader and application binaries of F-Secure Mobile Anti-Virus. However, the F-Secure Mobile Anti-Virus has protection against any attempts to modify it's files so the attack will not succeed.

If Drever.C SIS file is installed into Symbian device with F-Secure Mobile Anti-Virus running in Real-Time scan mode, as it is by default. The installation will terminate when the system installer tries to replace Anti-Virus files.

The hexedited files that Drever.C tries to use to damage F-Secure Mobile Anti-Virus, contain message intended to us.

FSECURE MUST DIE!!!!!!
Please, don't make new antiviruses for my viruses and I stop make
viruses for your antiviruses. My target is Simworks!
=)

Thanks for the warning, but I don't think we are stopping any time soon.

I don’t know how I missed this last week, but I had this e-mail forwarded to me from our TAM about some new features and command line switches for the Update.exe installer:

This Alert is to make you aware of a Microsoft Knowledge Base article,

832475 that describes new features in the Update.exe installer. Because this installer is used for security updates, these new features may be relevant to future security updates.

Premier customers should review this Knowledge Base article to be familiar with these new features. This article is available at this

location: http://support.microsoft.com/kb/832475

In addition, Premier customers may want to review these additional resources regarding the Update.exe installer.

- Microsoft Knowledge Base article 262841 - Command-line switches for Windows software update packages:

- http://support.microsoft.com/kb/262841

- Microsoft Knowledge Base article 828930 - How to integrate software updates into your Windows installation source files:

- http://support.microsoft.com/kb/828930

- Inside Update.exe - The Package Installer for Windows and Windows

Components: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deployment/winupdte.mspx

 

I would suggest everyone that has to deal with patch management take a look at these articles, from what I have read so far, there is some pretty important stuff in here.  For example, here is some information on the new command line switches for Update.exe from KB article 832475 and 262841.

Version 6.1.22.0 and later versions of the package installer for Windows software updates (Update.exe) support the following new features and changes:

•	A new /log command-line switch to enable redirection of the log files produced by the package installer
•	A new /warnrestart command-line switch to present a dialog box with a timer at the end of an unattended installation or removal warning the user that their system will restart, if a restart is required.
•	A new /promptrestart command-line switch to present a dialog box at the end of an unattended installation or removal prompting the user to let their system restart, if a restart is required.
•	Changes to the /passive switch so that when a restart is required, a dialog box with a timer is displayed at the end of installation or removal warning the user that their system will restart.
•	Flags set in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update\UpdateExeVolatile to indicate when a restart is required after installation or removal of a software update such as a security update, critical update, or hotfix.
•	/uninstall and /listupdates command-line switches have been discontinued. See the More Information section for alternatives.

Version 5.4.15.0 and later versions of the package installer for Windows software updates (Update.exe) support the following new features:

•	A new /integrate command-line switch to integrate software updates into your Windows installation source files.
•	Changes to the /extract switch.

Command-line switches for the Update.exe program

The following tables list the command-line switches that are supported by each different version of the Update.exe program.

Standard switch	Description of the switch	Versions of Update.exe that support this switch
/help	Displays command-line help.	Version 5.3.24.3 and later versions support the /help switch. For compatibility with older versions, the /? switch can be used.
/passive	Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.	Version 5.3.24.3 and later versions support the /passive switch. For compatibility with older versions, the /u switch can be used.
/quiet	Quiet mode - same as unattended mode, but no status or error messages are displayed.	Version 5.3.24.3 and later versions support the /quiet switch. For compatibility with older versions, the /q switch can be used.
/norestart	Do not restart the computer when the installation is finished.	Version 5.3.24.3 and later versions support the /norestart switch. For compatibility with older versions, the /z switch can be used.
/warnrestart	Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (Default is 30 sec). Intended for use with either /quiet or /passive switches.	Version 6.1.22.0 and later versions support the /warnrestart switch.
/forcerestart	Restart the computer after installation and force other applications to close at shutdown without saving open files first.	Version 5.3.24.3 and later versions support the /forcerestart switch.
/promptrestart	Presents a dialog box to prompt user to restart if required. Intended for use with /quiet or /passive.	Version 6.1.22.0 and later versions support the /promptrestart switch.
/forceappsclose	Forces other programs to close when the computer shuts down.	Version 5.4.15.0 and later versions support the /forceappsclose switch. For compatibility with older versions, the /f switch can be used.
/nobackup	Do not back up files for uninstall.	Version 6.1.22.0 and later versions support the /nobackup switch. For compatibility with older versions, the /n switch can be used.
/overwriteoem	Overwrite OEM files without prompting.	Version 6.1.22.0 and later versions support the /overwriteoem switch. For compatibility with older versions, the /o switch can be used.
/integrate:path	Integrates the software updates into the Windows installation source files located at the path specified. Note that :path refers to the folder that contains the i386 folder.	Version 5.4.15.0 and later versions support the /integrate:path switch. For compatibility with older versions, the /s switch can be used.
/log:path	Allows user to specify where to create the log file.	Version 6.1.22.0 and later versions support the /log switch.
/ER	Enable extended error reporting.	All versions support the ER switch.
/verbose	Enable verbose logging. Creates %Windir%\CabBuild.log upon install that details files to be copied. Using this switch may cause the installation to occur much slower.	Version 5.3.24.3 and later versions support the /verbose switch. For compatibility with older versions, the /v switch can be used.
/d:path	Specifies a backup directory for Windows Service Pack installation. :path indicates the destination folder for the backup files. The default backup location is %Systemdrive%\$ntservicepackuninstall$.	This switch is not available for updates other than Service Packs and is available only in Installer versions 5.3.16.5 and later versions.
/extract[:path]	Extracts files without starting Setup. If ":path" is not included, you are prompted for the path of a destination folder to extract the files. If ":path" is used, the files are extracted to the specified destination folder.	Version 5.3.24.3 and later versions support the /extract switch. For compatibility with older versions, the /x switch can be used.
/hotpatch:disable	Disables hotpatching functionality, and installs the cold patch only.	This is only to be used for Windows Server 2003 packages that support hotpatching and is available in versions 6.1.22.0 and later. For more information on hotpatching, see the "References" section in this article for a link to the "Inside Update.exe" whitepaper.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Java WebStart Cross Platform Vulnerability, cont.

Yesterday's diary didn't explicitly mention that versions 1.5.0 of J2SE (a.k.a. J2SE 5.0) aren't vulnerable. So I'll make it clear: they're supposed not to be vulnerable. Unfortunately it isn't all that simple to upgrade between major java versions in real life.
The issues with third party software demanding certain versions of the java environment often make the lives of system administrators miserable. That's to be expected. But even for in-house code it unfortunately just isn't easy to change these things as and when one would want or need to.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler's Diary March 20th 2005
Handler on Duty: Chris Carboni
Updated March 21st 2005 00:37 UTC
Yahoo Messenger worm?; exploited.lsass.cc bot traffic

A user reported "I've been receiving messages from people I haven't talked to in years via Yahoo Messenger tonight. The message is simply a URL. The URL is
http://yahoo-secretDOTtripodDOTcom"

If your seeing traffic to exploited.lsass.cc you should examine your hosts for a new bot

A few of the handlers are examining a new bot binary.
A bot controller was discovered during this malware analysis.
The bots connect to "exploited.lsass.cc" on port 19899 (TCP).
which currently resolves to:
Name: exploited.lsass.cc
Address: 158.195.101.192
Name: exploited.lsass.cc
Address: 140.123.105.125

DNS resolution is provided by dnsmadeeasy.com

The binary appears to be a version of rbot/sdbot.

AntiVir 6.30.0.7 03.18.2005 no virus found
AVG 718 03.18.2005 no virus found
BitDefender 7.0 03.20.2005 Backdoor.RBot.B43AC4F1
ClamAV devel-20050307 03.19.2005 no virus found
DrWeb 4.32b 03.19.2005 no virus found
eTrust-Iris 7.1.194.0 03.19.2005 no virus found
eTrust-Vet 11.7.0.0 03.18.2005 no virus found
Fortinet 2.51 03.20.2005 no virus found
F-Prot 3.16a 03.19.2005 no virus found
Ikarus 2.32 03.18.2005 Backdoor.Win32.Wootbot.AM
Kaspersky 4.0.2.24 03.20.2005 Backdoor.Win32.SdBot.gen
McAfee 4450 03.18.2005 no virus found
NOD32v2 1.1030 03.19.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 03.17.2005 W32/MEWpacked.gen
Panda 8.02.00 03.19.2005 W32/Sdbot.CJM.worm
Sybari 7.5.1314 03.20.2005 Backdoor.Win32.Rbot.gen
Symantec 8.0 03.19.2005 W32.Spybot.Worm

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Java WebStart Cross Platform Vulnerability

Systems running Java J2SE 1.4.2_06 and earlier 1.4.2 releases have been determined to be vulnerable to a malicious JNLP file, resulting in an untrusted application being able to elevate its privileges and escape the restricted environment. This affects browsers (and other applications using "javaws") on Windows, Linux, and Solaris, and could lead to a cross-platform worm. Solutions are to upgrade the J2SE environment, or disable "application/x-java-jnlp-file" JNLP handlers within your web browsers. According to the discoverer, Jouko Pynnonen, versions of J2SE prior to 1.4.2 (eg; the 1.3 and earlier 1.4 series) are not vulnerable to this attack. A proof of concept has been released, and overall impact is similar to the recent IFRAME attack, so it is likely that we'll see this one in the wild.

See also the K-Otik Advisory and the SunSolve Alert Notification

I was afraid of something like this.  I hope this guy gets what he deserves.

CNN.com - Search under way for girl's body - Mar 18, 2005

Search under way for girl's body
Sheriff: 'I've got my man'


HOMOSASSA SPRINGS, Florida (CNN) -- A search is under way in Homosassa Springs, Florida, for Jessica Lunsford's body after Citrus County Sheriff Jeff Dawsy said a convicted sex offender police have been questioning confessed to abducting and killing her.

"John Couey admitted to abducting Jessica and subsequently taking her life," Dawsy told reporters Friday. "I've got my man."

The announcement came after authorities sealed off Couey's sister's home with yellow crime scene tape.

Dawsy said Couey provided general information about where the body could be found and that the search could take hours.

Law enforcement sources told CNN that Couey said he buried the girl behind his sister's home.

Couey was staying at the property, which is located across the street from the Lunsford home, when the girl disappeared three weeks ago.

Jessica lived with her father, Mark, and her grandparents. Her grandmother was the last to see her, having tucked the girl into bed the night of February 23. The next morning, the girl was missing.

Couey, 46, is registered as a sex offender in Citrus County but wasn't living at the address he had given authorities, sheriff's department spokeswoman Ronda Hemminger Evan said.

The girl's father said he had never seen Couey before or heard his name. He had earlier told reporters he was not convinced that Couey was involved.

Couey's confession

Dawsy said that Couey confessed after taking a lie-detector test Friday.

"At the end of the polygraph, he says, 'You don't need to tell me the results. I already know what they are,' " Dawsy said.

Couey then asked for investigators to be sent back in and apologized "for wasting their time," the sheriff said.

Dawsy said the girl's father and her mother, Angela Bryant, who lives in Ohio, have been notified.

"This is a very tough time, not only for me, it's a very tough time for the family," the sheriff said, his voice cracking.

Couey late Friday remained in the custody of authorities in Georgia. Dawsy said he was working with the state's attorney about the extradition process, adding that they have built "a very methodical case."

Couey was arrested on parole violation charges at a homeless shelter in Augusta, Georgia, Thursday and questioned in the Lunsford girl's disappearance, law enforcement sources said.

Richmond County Sheriff Ronnie Strength described Couey as "cooperative."

"He was taken without incident. He did not try to hide who he was," the sheriff said. "He told us who he was. And we had no problem whatsoever with him."

A relative told detectives that Couey left Florida for Savannah, Georgia by bus -- under an assumed name -- four days after Lunsford was reported missing. There, he was interviewed by police at a shelter. But they had no jurisdiction to hold him, and Couey eventually made his way to Augusta, more than 100 miles away when he was arrested at a Salvation Army shelter.

Warrant issued after address change

Authorities said that Couey was among a number of sex offenders being considered after Lunsford went missing.

Under Florida law, a convicted sex offender must register his change of address. When police were unable to find Couey at the home where he was most recently registered, authorities determined he was living across from the Lunsford home with a relative.

Couey's record raised particular concern because of his more than three-decade-long criminal history, including 24 arrests on charges for burglary, carrying a concealed weapon, indecent exposure, disorderly conduct, larceny and drugs.

In 1991 Couey pleaded guilty to felony charges of sex offense against a child, fondling a child under 16, and lewd and lascivious conduct in Kissimmee, Florida.

He was also convicted of indecent exposure in 1987, according to records from the sheriff's office.

During a 1978 burglary, for which Couey was convicted, he was accused of grabbing a girl in her bedroom, placing his hand over her mouth and kissing her, Dawsy said.

CNN's Susan Candiotti, Sara Dorsey, Patrick Oppmann, Richard Phillips and John Zarrella contributed to this report.

Find this article at:
http://www.cnn.com/2005/US/03/18/missing.girl/index.html

F-Secure : News from the Lab

Two new Symbian trojans in one day.   Posted by Jarno @ 14:30 GMT

Today two new Symbian trojans were discovered.

Drever.A is a SIS file trojan that tries to disable Simworks Anti-Virus and Kaspersky Anti-Virus.

Locknut.B is a new variant of Locknut trojan family, which disables phone so that it can be disinfected only with special disinfection tool. However as F-Secure Mobile Anti-Virus detects it with generic detection, it is not a threat to our users.

Both cases are now detected with Mobile Anti-Virus.

Also we had an idea of trying Series 60 malware on other Symbian devices, and the results were rather surprising. Neither Cabir nor Comwarrior work on Series 80 or Series 90 devices, but Skulls and Locknut do work.

We tried Skulls.A on Series 80 device, and Skulls does cause problem there. The menu is not disabled, but the Skulls does replace the icons with a skull pictures, and application manager is disabled to disinfecting skulls takes some work.

Also we tried Locknut.A on a Series 90 device, and the device severly impaired by it. After installing Locknut.A and rebooting the phone, the phone will no longer boot.

However Series 60 malware is not a significant threat on other Symbian series devices, as installing them takes even more steps, and user gets extra warning that the application will cause errors in the device.

But then again, people are curious, so threat exists while is small.

Virus.Org :: Information Technology Security News And Updates

Phishers Exploit Banking Frames
. Posted by: Editor on Thursday, March 17, 2005 - 03:55 PM
.
CyberCrime and Forensics It seems the phishers are trying some new tricks to dupe people out of their hard earned money. We have received some reports of some particularly crafty attacks being targeted at Charter One Bank customers.
There have been two attempts to steal information from Charter One bank customers, the first was seen last week and was targeted against the Charter One Personal Online Banking site at www.totallyfreebanking.com. The second attack was targeted against users of the www.charterone.com web site.

In the case of the first attack, the phisher attempted to exploited a weakness in Charter One’s own site that allowed the displaying of an arbitrary URL within a frame on the site. The attack also used an SSL enabled site to house the fake page to ensure that no warnings where displayed. As a result, the fake page was shown within another page from the Charter One site, the page security padlock would give a false indication of the security of the page, as it would appear to most users that this is a legitimate Charter One page.

The second attack used an iframe trick to inject arbitrary content into a page at www.charterone.com, making it very difficult to tell that anything is afoot. Jeremy Wagstaff who is technology columnist with Dow Jones writes about the second phishing attack in his blog here.

ZDNet: Printer Friendly - Yahoo pledges full Firefox compatibility

By Munir Kotadia
URL: http://news.zdnet.com/2100-9588_22-5623838.html

Yahoo has confirmed plans to allow Firefox users to access all the portal giant's products and services, many of which are currently only available through Microsoft's Internet Explorer browser.

In February, Yahoo launched a search toolbar for Firefox, but users of the open-source browser were forced to revert back to IE to access some Yahoo features. For example, Yahoo Messenger users still cannot use Firefox to customize their online avatar and have to revert back to IE.

However, a Yahoo representative on Tuesday said the company will not launch any new products or services in the future without ensuring that they work on both IE and Firefox.

"Due to the explosive popularity of the Firefox browser, it has now been added to our suite of browsers to test our products against. All new products that Yahoo develops will be tested against Firefox," the representative said.

However, Yahoo would not commit to a date when all its current services--including avatar customization--will be available to Firefox users.

"We understand that consumer usage of Firefox has steadily increased, and we are committed to providing an enhanced consumer experience. While we are unable to provide you with an exact date, I can tell you we are actively working to provide Firefox support for avatars," the representative said.

Yahoo's decision to launch new products that support both major browsers is a huge boost for Firefox, according to Foad Fadaghi, senior industry analyst at Frost & Sullivan Australia.

"The momentum right now is behind Firefox. The Internet players are making sure they don't miss out if there is a mass migration--they have realized that it is not just a Microsoft game anymore," Fadaghi said.

Fadaghi said another likely reason why Yahoo has committed to Firefox is the open-source browser's close ties to Google.

When Firefox 1.0 was launched late last year, its default home page featured a Google search box.
"There is already a lot of support from Google, so as far as Yahoo is concerned, they are 'keeping up with the Joneses. It is a bit of a land grab," Fadaghi said.

Munir Kotadia of ZDNet Australia reported from Sydney.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

MS05-004 update
Thanks to Juha-Matti for pointing out that the ASP.NET bulletin from February has been updated. Apparently the Caveats section of KB887219 has been updated based on user experience, but, of course, all our loyal readers have already patched, right? :)

CNN.com - 'Person of interest' in missing girl case held - Mar 17, 2005

'Person of interest' in missing girl case held

(CNN) -- John Couey, a "person of interest" in the case of missing Florida 9-year-old Jessica Lunsford has been taken into custody on an unrelated warrant in Richmond County, Georgia, police said Thursday.

Couey is being held in Augusta, Georgia, said Ronda Hemminger Evan of the Citrus County, Florida, Sheriff's department. Evan said Couey is being held on a parole violation.

"He is a person of interest; he has not been named a suspect in this case," she said.

Police say Couey, 46, is a convicted sex offender and they don't know whether Couey is involved in the little girl's disappearance. They said that based on his lengthy criminal record he is prone to violence when under influence of alcohol or drugs.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

DNS cache poisoning incidents
There have been widespread reports of DNS cache poisoning and users being redirected on a major scale to certain web sites. Symantec has released a hotfix addressing a DNS cache poisoning and redirection issue with their Gateway Security, Enterprise Firewall, and VelociRaptor products. Products other than Symantec's are also reported to be impacted. More information is available from the following URLs:

http://securityresponse.symantec.com/avcenter/security/Content/2005.03.15.html
http://www.techweb.com/wire/security/159900971

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

MS05-010 Correction

Quoting Dave Aitel directly from [Dailydave] LLSSRV Clarifications.
As stated in MS05-010, LLSSRV is not remotely exploitable on Windows 2000 Server SP3 and 4 without authentication. However, it is remotely exploitable in Windows 2000 Advanced Server SP 3 and 4 without authentication. More information at the Immunity Inc. web site:

http://www.immunitysec.com/downloads/llssrv_miss.pdf

CNN.com - Sex offender sought for questioning in missing girl case - Mar 16, 2005

Sex offender sought for questioning in missing girl case


(CNN) -- Florida investigators said Wednesday they are seeking convicted sex offender John Evander Couey for questioning in last month's disappearance of 9-year-old Jessica Lunsford.

The Citrus County Sheriff's Department released a picture of Couey, 46, whom it described as a "person of interest," to aid the nationwide search.

Authorities said they don't know whether Couey is involved in the little girl's disappearance, but do know from his lengthy criminal record that he is prone to violence when under influence of alcohol or drugs.

Jessica was last seen in her bed in Homosassa, Florida, February 23. Except for an unlocked front door, the home was undisturbed with no signs of a struggle. She lived with her father and grandparents.

Jessica is 4 feet, 10 inches tall, weighs 70 pounds, has light brown hair and was last reported wearing a pink nightgown.

Couey had been living in the Citrus County area and was last seen in Savannah, Georgia, Citrus County Sheriff Jeff Dawsy told reporters.

Dawsy said Couey had been staying with a relative in a house near the Lunsfords', and his name came up when authorities were investigating sexual offenders in the area.

A relative admitted to detectives that Couey left on a bus for Savannah February 28, where he was interviewed by local police Saturday at a shelter, Dawsy said.

Savannah police, who had no jurisdiction, were unable to hold Couey, he said. Three detectives from Florida have now gone to Savannah.

"We still think he's in that immediate area," Dawsy said. He said investigators do not know if Couey had had any contact with Jessica.

Savannah-Chatham Metropolitan Police Department spokesman Bucky Burnsed said Savannah police were acting on a request from the Citrus County Sheriff's Department when they picked up the man at a Savannah Salvation Army shelter Saturday.

"He was cooperative," Burnsed said, adding that authorities "didn't have the grounds to hold him" without an arrest warrant.

He said Savannah police don't know whether he is still in their city.

Burnsed said, "Our officers would like to speak with him [again]. We are looking for him. It is not a manhunt."

Under Florida law, a convicted sex offender must register his change of address, and a warrant was issued, according to the sheriff.

He said there also was an August 2004 outstanding warrant for Couey for violating probation because of alleged marijuana possession. That warrant has been amended to be effective outside Florida, the sheriff said. Couey also is wanted on an outstanding warrant that he failed to report to his probation officer.

"There is no indication at all that her family had any contacts with this individual," Dawsy said.

But he said detectives are concerned because of Couey's criminal history spanning more than three decades and 24 arrests, which includes multiple arrests for burglary, carrying a concealed weapon, indecent exposure, disorderly conduct, larceny and drug charges.

Couey pleaded guilty to 1991 felony charges of sex offense against a child, fondling a child under age 16 and lewd and lascivious conduct in Kissimmee; he was convicted of indecent exposure in 1987, according to records from the sheriff's office.

During a 1978 burglary, for which Couey was convicted, he was accused of grabbing a girl in her bedroom, placing his hand over her mouth and kissing her, Dawsy said.

Jessica's father, Mark Lunsford, 41, said he has no "problems with the way the sheriff's department is doing its job," noting that authorities haven't ruled any scenario or possible suspect out.

"I have confidence in my sheriff's department, and I truly believe in my heart that my daughter is coming home," Lunsford said, his voice breaking for the only time in a 10-minute chat with reporters. "I just don't know when. Sometimes it is a little hard to swallow, but you just swallow it and keep going because that's what you have to do."

Polygraphs given to both her father and her grandfather, Archie Lunsford, 72, raised no immediate concerns to investigators. Authorities announced Tuesday a polygraph of Jessica's grandmother, Ruth Lunsford, 73, included two responses that "raised red flags," but could have been stress-related.

A 14-member task force has been assigned to the case full time.

Lunsford asked for volunteers for a weekend search, beginning at 7 a.m. both Saturday and Sunday. He said he wants to cover as wide an area as possible.

"I truly believe that my daughter is alive and that she is coming home," he said.

CNN's Susan Candiotti, Patrick Oppmann and Richard Phillips contributed to this report.

Find this article at:
http://www.cnn.com/2005/US/03/16/missing.girl/index.html

CNN.com - 'Person of interest' sought in Florida missing girl case - Mar 15, 2005

'Person of interest' sought in Florida missing girl case
Grandmother's polygraph 'raised red flags'

(CNN) -- Police in Citrus County, Florida, are looking for a man they are calling a "person of interest" in the case of a missing 9-year-old Homosassa girl, the sheriff's department said Tuesday.

Sheriff Jeff Dawsy told reporters at a news conference that the person is part of Jessica Lunsford's family, social, school or church circles and may have come into contact with her before she disappeared.

The girl was last seen the night of February 23.

Whether this line of investigation will lead anywhere remains to be seen, according to the sheriff.

"I do not know how significant this is until I talk to this individual," he said.

The man has a criminal history, Dawsy said. The sheriff added that he thinks he knows where the man is, but would not identify his location other than to say it is outside of Florida.

He said that he would give investigators 48 hours to find the man before releasing his name to the media.

"I think he knows we want to talk with him," he said.

When asked if the man was among the 20 registered sex offenders in Citrus County, Dawsy replied, "Not in that general area."

Law enforcement agencies in other areas of the country were assisting in the search, he said.

Dawsy said investigators have generated about 3,000 leads, but no others are considered strong.

The man is not a family member, sheriff's department spokeswoman Ronda Hemminger Evan said.

Police also announced that a polygraph test given to the girl's grandmother, Ruth Lunsford, 73, on March 4 included two responses that "raised red flags" for investigators.

Dawsy said that her answers could have been affected by stress and that the FBI interviewed her again on Monday.

"We have totally not been able to rectify any of those answers she gave on why we got this type of response," he said.

Polygraphs given to the girl's father, Mark Lunsford,and her grandfather, Archie Lunsford, 72, by the FBI raised no immediate concerns to investigators.

Dawsy reiterated that his department has never stopped working this case and are on a seven-day-a-week schedule to find her.

A 14-member task force has been assigned to work the case full time.The group is composed of representatives from the sheriff's offices in Citrus and neighboring Hernando counties, along with the FBI and the Florida Department of Law Enforcement.

Jessica -- who is 4 feet, 10 inches tall, weighs 70 pounds and has light brown hair -- was last reported wearing a pink nightgown.

Police said she was last seen at 10 p.m. on February 23 by her grandmother, who put her to bed in her home in Homosassa, a community of about 2,300 on the Gulf Coast, about 60 miles north of Tampa.

Mark Lunsford, 41, found her bed empty when he returned home around 6 a.m. Thursday, after spending the night with his girlfriend. She shared the home with her father and paternal grandparents.

There was no sign of forced entry at the home, and the girl's room was extremely clean, the sheriff said at the time. However, he said the front door of the home was unlocked.

The sheriff said the only thing missing from the girl's room was a doll, which he would not describe.

In the days after Lunsford's disappearance, hundreds of volunteers turned out -- sometimes in pouring rain -- to help law enforcement officers search for the girl. They were joined by search dogs and officers on horseback and on off-road vehicles.

On February 28, Lunsford said he was convinced his daughter was abducted, but Evan said the question of whether she ran away or was taken from her home remained open.

Lunsford said, "I know my daughter. She is not much different than anybody else's. If they are in a good home, there is no reason for them to leave."

At a news briefing three days earlier, the girl's father and grandparents issued an emotional plea for any information on her whereabouts.

Ruth Lunsford said then that neither she nor her husband heard anything unusual the night of the disappearance and said Jessica would never go anywhere "without consulting us."

"She just doesn't go off ... she doesn't roam," the grandmother said. "She's very smart, she's very well-mannered, and she's a beautiful child. When God made Jessie, he made an angel."

That same day, Dawsy announced that Atlanta Braves pitcher Mike Hampton and his wife Kautia -- residents of Homosassa -- had offered a $25,000 reward for any information leading to the girl's location and return.

Here is another reason not to allow file sharing programs on to your network.  This is also another example of how virus writers are “raising the bar” in their effort to do whatever they can to infect more computers.

Symantec Security Response - W32.Selotima.A

W32.Selotima.A
Category 2
Discovered on: March 13, 2005
Last Updated on: March 14, 2005 03:01:57 PM

W32.Selotima.A is a worm that propagates through file-sharing networks and inserts itself into .zip and .rar archives. 

When W32.Selotima.A is executed, it performs the following actions:

1. Copies itself as the following:
   
   
   • a:\Readme.txt.exe
   • c:\Readme.txt.exe
   • %Windir%\daemon.exe
     
     Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
     
     
2. Drops the following files:
   
   
   • %Windir%\Infect.drv
   • %Windir%\Infectate.reg
   • %Windir%\Muerte.drv
     
     
3. Adds the value:
   
   "Daemon" = "%Windir%\daemon.exe c daemon2.exe"
   
   to the registry subkey:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   
   so that the worm runs every time Windows starts.
   
   
4. Modifies the following registry values:
   
   "Hidden" = "0x00000000"
   "HideFileExt" = "0x00000001"
   
   in the registry subkey:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   
   
5. Searches for .zip or .rar files and inserts itself as Readme.txt.exe into the archive.
   
   
6. Attempts to copy itself to the following file-sharing program folders:
   
   
   • C:\Inetpub\ftproot
   • C:\My Download
   • C:\My Downloads
   • C:\My Shared Folder
   • C:\Download
   • C:\Downloads\TorrenTopia\Downloads
   • \emule\incoming
   • \appleJuice\incoming
   • \eDonkey2000\incoming
   • \Gnucleus\Downloads
   • \Grokster\My Grokster
   • \ICQ\shared files
   • \Kazaa\My Shared Folder
   • \KaZaA Lite\My Shared Folder
   • \LimeWire\Shared
   • \morpheus\My Shared Folder
   • \Overnet\incoming
   • \Shareaza\Downloads
   • \Swaptor\Download
   • \WinMX\My Shared Folder
   • \Tesla\Files
   • \XoloX\Downloads
   • \Rapigator\Share
   • \KMD\My Shared Folder
   • \BearShare\Shared
     

using one of the following file names with an .exe extension:


• Pamela Anderson
• Crack Nero Express
• Torrent
• Crack Norton
• Crack Msn
• Crackear Msn
• Winamp8
• Winrar360
• Norton 2005
• Pamela.jpg
• Crack Msn 7.0
• IRC
• Crack Irc
• Pornografia
• XXX
• Video
• Age of Empires
• Starcraft
• Age Of Empires Crack
• Starcraft Crack
• Killer Instinct
• crack norton 2005
• norton 2006
• msn8
• Kazaa Media Desktop
• ICQ Lite
• WinZip
• iMesh
• AOL Instant Messenger (AIM)
• ICQ pro 2003a beta
• Morpheus
• Ad aware
• Trillian
• Download Accelerator plus
• ZoneAlarm
• Microsoft Office XP
• Microsoft Windows 2003
• Office 2003
• Visual Studio Net
• Delphi 6
• msn hack
• Matrix Movie
• Virtual Girl
• FireWorks 4
• FIreWorks MX
• Cracked
• crack all versions
• KeyGen
• Full version
• Reproductor de Windows Media
• Grokster
• WinRAR
• DivX Video Bundle
• RealOne Free Player
• Netumer
• JetAudio Basic
• Registry Mechanic
• Copernic Agent
• Winamp
• Diet Kazaa
• SolSuite 2003: Solitaire Card Games Suite
• QuickTime
• XoloX Ultra
• Microsoft Internet Exlorer
• Network Cable e ADSL Speed
• Kazaa Download Accelerator
• Global DiVX layer
• DirectDVD
• Lolitas
• Pedo
• sexo

F-Secure : News from the Lab

Java Applet trojan that infects Internet Explorer even when run in Firefox. Posted by Jarno @ 12:27 GMT

Well heres a proof that Java is portable programming environment:)

Christopher Boyd from Vitalsecurity.org has found a Java trojan that is capable of downloading and infecting Internet Explorer with Spyware/Adware, even is you are running another browser that supports Java such as Firefox.

We detect this as Java.OpenStream.T

What is happening here is that, the trojan is in signed Java archive, that is signed with valid certificate. Which causes the Java runtime to ask from user whether this applet should be executed or not. And if user answers yes, the Java applet is given all the access that any other binary running under the user account would have.

Which allows the trojan do the same kind of nasty tricks as any other Java downloader trojan does, but without using any kind of exploits.

Also what makes the case interesting is that this trojan is probably not intended to work with Firefox or any other alternative browser. The trojan works just because the trojan author did not use any Microsoft specific code. Thus making the trojan portable to other platforms.

And yes, the trojan will most likely also work under Linux, but it won't do really anything there as it tries to download and execute Win32 EXE trojan.

So if a website asks you whether you want to run Java applet, and you are not intending to run some Java application you trust, just answer no.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Entire web farms hacked to serve up the 7sir7 redirect

We have received reports and evidence that a number of companies that provide shared hosting web servers have had their servers exploited and all of the customer homepages modified so that