Monday, October 27, 2008

MS08-067 Windows Server Remote Exploit Information

We received a flood of requests from our customers to see if Sentinel IPS is protecting against attacks on this new vulnerability. Once we assured them we have several signatures are in place, (thanks Emerging Threats!) I figured a follow up with some information on this vulnerability would be helpful.

First the vulnerability is a remote buffer overflow in the RPC (remote procedure call) code in Windows OS. This vulnerability allows full code execution/system compromise over the wire.

Second, MS went public with information on this vulnerability around October 22nd after it found info of active exploitation in the wild.

Is public exploit code available? "You betcha",

Which versions of Windows are vulnerable? Microsoft Windows 2000, Windows XP, Windows Vista, Windows 2003 Server and Windows Server 2008

Is there a patch, update available? Yes, MS pushed an emergency update (out of band patch) on Friday, Oct 24th. That gives you an idea how serious this is.

Doesn't my firewall protect this? Yes, sort of... If you are denying ports 139 and 445 to the host, but you are likely vulnerable to your LAN, and if your grandma plugs directly into her DSL modem and turned off that pesky Windows firewall (uh oh).

What happens when I am compromised? There is a worm/botnet currently spreading using this vulnerability and after successful compromise, it then scans the local network for vulnerable machines. This means dirty laptops are extremely high risk to spread this worm.

What is the malware which the worm spreads? It is your standard auto-propigating trojan/malware/botnet client which is currently going by the name Gimmiv (Win32.Gimmiv.a/b worm).

What can I do? Keep an eye on your machines, run the latest AV software and make sure your firewalls and IPS are protecting ports 139/445 wherever possible. Last but not least, patch patch patch!


Tuesday, October 14, 2008

ASPROX still alive, is the latest domain used by the ASPROX Botnet based SQL Injection attacks on insecure ASP websites.

Other current ASPROX domains include:,,,

Grab our ASPROX toolkit for information on cleaning and defending from this threat.

Tuesday, October 7, 2008

To jailbreak or not to jailbreak the iPhone 3G

I am blogging right now through my newly jailbroken iPhone 3g with 2.1 firmware... using some blogging application and typing on the tiny keyboard you may ask? Not today, I am infact using PDAnet a free Internet sharing app for jailbroken iPhones which allows you to connect your laptop pc (any variety) to your iPhone via ad-hoc wireless networking and then gain access to the Internet through your phones 3g or edge connection.

I can say this app alone is reason enough to jailbreak your iPhone... I mean, Starbucks coffee is expensive enough, paying for their Internet access is a slap in the face.

So what other wonderful goodies are available exclusively to a jailbroken iPhone? Well this is an Information Security blog so how could I not talk about the excellent new Stumbler Plus app. It is a full featured wardriving and wireless network auditing tool (GUI) and it is really quite sweet. Here are some features:

1. Finds hidden SSID's
2. Reverses AP MAC Addresses automatically to the Vendor name (COOL!)
3. Records Signal Strength, Encryption Type, and Long/Lat via GPS!

Only downsides I have found is there is no automatic feature to keep scanning while you drive, it requires you to repeatedly hit the scan button, also it doesn't seem to have a save or email results feature.

So those are the two killer jailbreak apps currently out for the iPhone 3g. I am sure some of you will wonder why I didn't mention nmap and metasploit, but if you have tried to use either on the buggy xterm app and tiny keyboard, it is not something to be desired. Maybe I will create a one button GUI version of metasploit that uses autopwn... hrmm my list of projects are getting out of control

Wednesday, October 1, 2008

Are you ready for IPv6?

Vint Cerf one of the core developer's of IPv4 and now an evangelist for Google says time is running out at 32-bit IP addresses...

Article from

So the question I pose is are you ready? To truly know, you have to ask yourself a few questions...

1. Does your ISP provide IPv6 connectivity (raw or tunneled)?

2. Most networking equipment and Operating systems support IPv6: but does your security equipment? If you use IDS/IPS, it's highly probably IPv6 is not yet supported or requires a software update to get there. This is based on the Snort the industry standard IDS gaining IPv6 support in recent 2.6+ releases.

3. Do you understand the security architecture changes required for IPv6?: Every node will have a public IP, no more NAT means privacy and security will have to be re-evaluated as every host will be addressable.

For example if Sally goes to website from work, only the common WAN IP of the office is saved in's access logs if using standard IPv4 NAT gateway. Under IPv6 the website would log the public IP designated specifically for Sally's computer and route directly back to her without NAT translation. So not only could an attacker potentially tie the website visit to Sally, he could also know the direct address to attack her computer.

4. DNS will become more important: while there are ways to simplify IPv6 notation so you don't have to remember a lengthy hex string, it will be more likely to heavily use DNS to address your LAN machines.

5. Dual mode IP stack: so most current Operating Systems like Vista, OSX and Linux come default running support for both IPv4 and IPv6, well think of the two like different layers as you could essentially be attacked on either IP protocol. You will have to remember this when designing your architecture for IPv6 so you do not leave a blind eye on IPv4 traffic.