Archief
- De topics van lang geleden
Alert! Code Geel ISC.
Het Internet Storm Centrum waarschuwt computergebruikers wereldwijd,
dat de laatst ontdekte lekken in het Windows besturingsysteem via het
internet worden uitgebuit, inclusief met een 0-day exploit voor Veritas. Wie
nog niet de laatste patches heeft geïnstalleerd wordt dringend
aangeraden om elk Windows-systeem te beveiligen. Hieronder staan
ook de SNORT-handtekeningen afgedrukt.
===========================================
Infocon Yellow; Windows and Backup Exec exploits are out, where are the
exploits, NIST drafts, Snort signatures
Infocon: Yellow
Due to a number of very well working Windows exploits for this weeks
patch set, and the zero-day Veritas exploit, we decided to turn the infocon to
yellow.
Advice: Use the weekend to patch ALL WINDOWS SYSTEMS. It may be
worthwhile to consider accelerated deployment of the patches even to
critical systems if the weekend is slow anyway. Backup Exec should be
firewalled or disabled at this point.
Note: Consider unprotected internet facing machines infected at this point
if they do not have this weeks patches applied. Patch and handle them with
extra care.
Windows and Backup Exec exploits are out
In case you're waiting to see whether it's worth updating either Windows or
Veritas' Backup Exec, now's the time to do so. Live exploits are out for both.
Specifically, MS05-039 appears to have 3 live exploits out for it already, and
Backup Exec has at least one exploit out.
We've said it already, but it's worth repeating - get those patches in soon...
Which exploits are really out?
We've gotten a number of questions from readers about the exploits we've
mentioned over the past few days in the diary. Some of them are publicly
known and easily Google-able. Others are ones that we've found out about
from trusted sources that have asked us to not share the exploit itself.
Because our goal is to provide timely alerts to the security community, we
generally don't provide the exploit code itself. If it truly is publicly visible,
you'll find it in a few minutes without our help. And if the exploit is still
generally private, we don't want to be the conduit that accelerates attacks -
people with lots of hat colors read this diary. *smile*
Thanks for understanding.
NIST drafts
NIST has provided draft security security documents: Creating a Patch and
Vulnerability Management Program, Secure DNS Deployment Guide,
Guide to Malware Incident Prevention and Handling, Guide to Single-
Organization IT Exercises, Guide to Computer and Network Data Analysis:
Applying Forensic Techniques to Incident Response, and Codes for the
Identification of Federal and Federally-Assisted Organizations.
Preliminary Snort signatures for MS exploits
One reader was kind enough to forward some Snort signatures for
malware hitting the recently announced vulnerabilities. Credit for these
signatures goes to Blake Harstein at Demarc.
To not have the lines go on too long, the pcre's have been split over
multiple lines; everything from pcre: to /i"; needs to be reassembled into
one object with no spaces.
#These rules are separated for compatibility with Snort 2.3.3 (>850
#characters per line), If you are using Snort >2.4.0 you can safely
#combine these into a single rule
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT CLSID Pattern Matched"; flowbits:isnotset,CLSID_DETECTED;
flow:established,from_server;
pcre:"/CLSIDs*:(?=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]
{12})/i";
flowbits:noalert; flowbits:set,CLSID_DETECTED; classtype:not-suspicious;
sid:2002174; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
1)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-
11D0-
BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-
00A0C911CE86|33D9A761-
90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-
00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-
90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-
00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-
D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-
DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-
3B9B-419E-A3D6-5D28C0B0B50C/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002171; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
2)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-
11D1-B944-
00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-
BEEE-4442-
804E-409D6C4515E9|3050F391-98B5-11CF-BB82-
00AA00BDCE0B|8EE42293-C315-
11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-
00AA0051FE20|510A4910-
7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-
00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-
7F1C-11CE-
BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-
00AA0051FE20|D99F7670-7F1A-
11CE-BE57-00AA0051FE20/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002172; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
3)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-
11D0-BB4C-
00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-
D367-11D1-
8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-
00805F85CFE3|ECABB0BF-7F19-
11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-
0000F875AE17|67DCC487-
AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-
000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-
343A-11D0-
AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-
00E0291F3959|CC7BFB43-F175-
11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-
00A0C90C2BC5/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002173; rev:2;)
dat de laatst ontdekte lekken in het Windows besturingsysteem via het
internet worden uitgebuit, inclusief met een 0-day exploit voor Veritas. Wie
nog niet de laatste patches heeft geïnstalleerd wordt dringend
aangeraden om elk Windows-systeem te beveiligen. Hieronder staan
ook de SNORT-handtekeningen afgedrukt.
===========================================
Infocon Yellow; Windows and Backup Exec exploits are out, where are the
exploits, NIST drafts, Snort signatures
Infocon: Yellow
Due to a number of very well working Windows exploits for this weeks
patch set, and the zero-day Veritas exploit, we decided to turn the infocon to
yellow.
Advice: Use the weekend to patch ALL WINDOWS SYSTEMS. It may be
worthwhile to consider accelerated deployment of the patches even to
critical systems if the weekend is slow anyway. Backup Exec should be
firewalled or disabled at this point.
Note: Consider unprotected internet facing machines infected at this point
if they do not have this weeks patches applied. Patch and handle them with
extra care.
Windows and Backup Exec exploits are out
In case you're waiting to see whether it's worth updating either Windows or
Veritas' Backup Exec, now's the time to do so. Live exploits are out for both.
Specifically, MS05-039 appears to have 3 live exploits out for it already, and
Backup Exec has at least one exploit out.
We've said it already, but it's worth repeating - get those patches in soon...
Which exploits are really out?
We've gotten a number of questions from readers about the exploits we've
mentioned over the past few days in the diary. Some of them are publicly
known and easily Google-able. Others are ones that we've found out about
from trusted sources that have asked us to not share the exploit itself.
Because our goal is to provide timely alerts to the security community, we
generally don't provide the exploit code itself. If it truly is publicly visible,
you'll find it in a few minutes without our help. And if the exploit is still
generally private, we don't want to be the conduit that accelerates attacks -
people with lots of hat colors read this diary. *smile*
Thanks for understanding.
NIST drafts
NIST has provided draft security security documents: Creating a Patch and
Vulnerability Management Program, Secure DNS Deployment Guide,
Guide to Malware Incident Prevention and Handling, Guide to Single-
Organization IT Exercises, Guide to Computer and Network Data Analysis:
Applying Forensic Techniques to Incident Response, and Codes for the
Identification of Federal and Federally-Assisted Organizations.
Preliminary Snort signatures for MS exploits
One reader was kind enough to forward some Snort signatures for
malware hitting the recently announced vulnerabilities. Credit for these
signatures goes to Blake Harstein at Demarc.
To not have the lines go on too long, the pcre's have been split over
multiple lines; everything from pcre: to /i"; needs to be reassembled into
one object with no spaces.
#These rules are separated for compatibility with Snort 2.3.3 (>850
#characters per line), If you are using Snort >2.4.0 you can safely
#combine these into a single rule
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT CLSID Pattern Matched"; flowbits:isnotset,CLSID_DETECTED;
flow:established,from_server;
pcre:"/CLSIDs*:(?=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]
{12})/i";
flowbits:noalert; flowbits:set,CLSID_DETECTED; classtype:not-suspicious;
sid:2002174; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
1)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-
11D0-
BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-
00A0C911CE86|33D9A761-
90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-
00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-
90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-
00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-
D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-
DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-
3B9B-419E-A3D6-5D28C0B0B50C/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002171; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
2)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-
11D1-B944-
00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-
BEEE-4442-
804E-409D6C4515E9|3050F391-98B5-11CF-BB82-
00AA00BDCE0B|8EE42293-C315-
11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-
00AA0051FE20|510A4910-
7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-
00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-
7F1C-11CE-
BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-
00AA0051FE20|D99F7670-7F1A-
11CE-BE57-00AA0051FE20/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002172; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
3)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-
11D0-BB4C-
00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-
D367-11D1-
8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-
00805F85CFE3|ECABB0BF-7F19-
11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-
0000F875AE17|67DCC487-
AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-
000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-
343A-11D0-
AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-
00E0291F3959|CC7BFB43-F175-
11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-
00A0C90C2BC5/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002173; rev:2;)
Reacties (2)
yo peter, ik heb op virusalert weleens gelezen over e.d codered. dit scheen
vrij gevaarlijk te zijn, en er waren meer varianten,son of codered codeblue
enz is code geel een tweede zoon van codered ? of is het zelfs geen virus?
GREETZ chrizzz
vrij gevaarlijk te zijn, en er waren meer varianten,son of codered codeblue
enz is code geel een tweede zoon van codered ? of is het zelfs geen virus?
GREETZ chrizzz
Reageren
Deze posting is gelocked. Reageren is niet meer mogelijk.
IT Security Officer
Utrecht heeft jou nodig! Als Information Security Officer vertaal je beleid naar technische uitvoering. Dit is cruciaal voor het waarborgen van de informatiebeveiliging van onze inwoners. Je krijgt de kans om betrokken te zijn bij complexe projecten met de nieuwste technologieën en kunt jouw stempel drukken op innovatie. Solliciteer nu!
Ketenregisseur Gedigitaliseerde Criminaliteit en Cybercrime
Ben jij er klaar voor om de leiding te nemen in het bevorderen van de regionale samen-werking in de strijd tegen gedigitaliseerde criminaliteit en cybercrime? Samen met collega's, politie en regionale en landelijke partners? Dan is de dynamische rol van Ketenregisseur Gedigitaliseerde Criminaliteit en Cybercrime bij het Regionaal Samenwerkingsverband Integrale Veiligheid (RSIV) jouw op het lijf geschreven!
Digital Designer
Ben jij een Grafisch vormgever, UI-designer, Game-artist of gewoon een ‘self-proclaimed creative genius’, die op zoek is naar een leuke en uitdagende baan waarin je al je creativiteit kwijt kan?Je werkt samen met onze developers en UI/UX-designer aan onze Gamified Cybersecurity Challenges welke jij voorziet van de mooiste designs.
Senior Full Stack Developer
Als full stack developer bij Certified Secure maak je de mooiste cybersecurity challenges die onze deelnemers wereldwijd uitdagen en inspireren. Alle challenges zijn gebaseerd op actuele kwetsbaarheden, je komt dus telkens nieuwe technieken tegen, van machine learning tot web assembly, van Swift UI tot GCP.