Archief
- De topics van lang geleden
Alert! Code Geel ISC.
Het Internet Storm Centrum waarschuwt computergebruikers wereldwijd,
dat de laatst ontdekte lekken in het Windows besturingsysteem via het
internet worden uitgebuit, inclusief met een 0-day exploit voor Veritas. Wie
nog niet de laatste patches heeft geïnstalleerd wordt dringend
aangeraden om elk Windows-systeem te beveiligen. Hieronder staan
ook de SNORT-handtekeningen afgedrukt.
===========================================
Infocon Yellow; Windows and Backup Exec exploits are out, where are the
exploits, NIST drafts, Snort signatures
Infocon: Yellow
Due to a number of very well working Windows exploits for this weeks
patch set, and the zero-day Veritas exploit, we decided to turn the infocon to
yellow.
Advice: Use the weekend to patch ALL WINDOWS SYSTEMS. It may be
worthwhile to consider accelerated deployment of the patches even to
critical systems if the weekend is slow anyway. Backup Exec should be
firewalled or disabled at this point.
Note: Consider unprotected internet facing machines infected at this point
if they do not have this weeks patches applied. Patch and handle them with
extra care.
Windows and Backup Exec exploits are out
In case you're waiting to see whether it's worth updating either Windows or
Veritas' Backup Exec, now's the time to do so. Live exploits are out for both.
Specifically, MS05-039 appears to have 3 live exploits out for it already, and
Backup Exec has at least one exploit out.
We've said it already, but it's worth repeating - get those patches in soon...
Which exploits are really out?
We've gotten a number of questions from readers about the exploits we've
mentioned over the past few days in the diary. Some of them are publicly
known and easily Google-able. Others are ones that we've found out about
from trusted sources that have asked us to not share the exploit itself.
Because our goal is to provide timely alerts to the security community, we
generally don't provide the exploit code itself. If it truly is publicly visible,
you'll find it in a few minutes without our help. And if the exploit is still
generally private, we don't want to be the conduit that accelerates attacks -
people with lots of hat colors read this diary. *smile*
Thanks for understanding.
NIST drafts
NIST has provided draft security security documents: Creating a Patch and
Vulnerability Management Program, Secure DNS Deployment Guide,
Guide to Malware Incident Prevention and Handling, Guide to Single-
Organization IT Exercises, Guide to Computer and Network Data Analysis:
Applying Forensic Techniques to Incident Response, and Codes for the
Identification of Federal and Federally-Assisted Organizations.
Preliminary Snort signatures for MS exploits
One reader was kind enough to forward some Snort signatures for
malware hitting the recently announced vulnerabilities. Credit for these
signatures goes to Blake Harstein at Demarc.
To not have the lines go on too long, the pcre's have been split over
multiple lines; everything from pcre: to /i"; needs to be reassembled into
one object with no spaces.
#These rules are separated for compatibility with Snort 2.3.3 (>850
#characters per line), If you are using Snort >2.4.0 you can safely
#combine these into a single rule
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT CLSID Pattern Matched"; flowbits:isnotset,CLSID_DETECTED;
flow:established,from_server;
pcre:"/CLSIDs*:(?=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]
{12})/i";
flowbits:noalert; flowbits:set,CLSID_DETECTED; classtype:not-suspicious;
sid:2002174; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
1)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-
11D0-
BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-
00A0C911CE86|33D9A761-
90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-
00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-
90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-
00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-
D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-
DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-
3B9B-419E-A3D6-5D28C0B0B50C/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002171; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
2)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-
11D1-B944-
00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-
BEEE-4442-
804E-409D6C4515E9|3050F391-98B5-11CF-BB82-
00AA00BDCE0B|8EE42293-C315-
11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-
00AA0051FE20|510A4910-
7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-
00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-
7F1C-11CE-
BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-
00AA0051FE20|D99F7670-7F1A-
11CE-BE57-00AA0051FE20/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002172; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
3)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-
11D0-BB4C-
00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-
D367-11D1-
8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-
00805F85CFE3|ECABB0BF-7F19-
11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-
0000F875AE17|67DCC487-
AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-
000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-
343A-11D0-
AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-
00E0291F3959|CC7BFB43-F175-
11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-
00A0C90C2BC5/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002173; rev:2;)
dat de laatst ontdekte lekken in het Windows besturingsysteem via het
internet worden uitgebuit, inclusief met een 0-day exploit voor Veritas. Wie
nog niet de laatste patches heeft geïnstalleerd wordt dringend
aangeraden om elk Windows-systeem te beveiligen. Hieronder staan
ook de SNORT-handtekeningen afgedrukt.
===========================================
Infocon Yellow; Windows and Backup Exec exploits are out, where are the
exploits, NIST drafts, Snort signatures
Infocon: Yellow
Due to a number of very well working Windows exploits for this weeks
patch set, and the zero-day Veritas exploit, we decided to turn the infocon to
yellow.
Advice: Use the weekend to patch ALL WINDOWS SYSTEMS. It may be
worthwhile to consider accelerated deployment of the patches even to
critical systems if the weekend is slow anyway. Backup Exec should be
firewalled or disabled at this point.
Note: Consider unprotected internet facing machines infected at this point
if they do not have this weeks patches applied. Patch and handle them with
extra care.
Windows and Backup Exec exploits are out
In case you're waiting to see whether it's worth updating either Windows or
Veritas' Backup Exec, now's the time to do so. Live exploits are out for both.
Specifically, MS05-039 appears to have 3 live exploits out for it already, and
Backup Exec has at least one exploit out.
We've said it already, but it's worth repeating - get those patches in soon...
Which exploits are really out?
We've gotten a number of questions from readers about the exploits we've
mentioned over the past few days in the diary. Some of them are publicly
known and easily Google-able. Others are ones that we've found out about
from trusted sources that have asked us to not share the exploit itself.
Because our goal is to provide timely alerts to the security community, we
generally don't provide the exploit code itself. If it truly is publicly visible,
you'll find it in a few minutes without our help. And if the exploit is still
generally private, we don't want to be the conduit that accelerates attacks -
people with lots of hat colors read this diary. *smile*
Thanks for understanding.
NIST drafts
NIST has provided draft security security documents: Creating a Patch and
Vulnerability Management Program, Secure DNS Deployment Guide,
Guide to Malware Incident Prevention and Handling, Guide to Single-
Organization IT Exercises, Guide to Computer and Network Data Analysis:
Applying Forensic Techniques to Incident Response, and Codes for the
Identification of Federal and Federally-Assisted Organizations.
Preliminary Snort signatures for MS exploits
One reader was kind enough to forward some Snort signatures for
malware hitting the recently announced vulnerabilities. Credit for these
signatures goes to Blake Harstein at Demarc.
To not have the lines go on too long, the pcre's have been split over
multiple lines; everything from pcre: to /i"; needs to be reassembled into
one object with no spaces.
#These rules are separated for compatibility with Snort 2.3.3 (>850
#characters per line), If you are using Snort >2.4.0 you can safely
#combine these into a single rule
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT CLSID Pattern Matched"; flowbits:isnotset,CLSID_DETECTED;
flow:established,from_server;
pcre:"/CLSIDs*:(?=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]
{12})/i";
flowbits:noalert; flowbits:set,CLSID_DETECTED; classtype:not-suspicious;
sid:2002174; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
1)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-
11D0-
BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-
00A0C911CE86|33D9A761-
90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-
00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-
90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-
00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-
D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-
DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-
3B9B-419E-A3D6-5D28C0B0B50C/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002171; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
2)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-
11D1-B944-
00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-
BEEE-4442-
804E-409D6C4515E9|3050F391-98B5-11CF-BB82-
00AA00BDCE0B|8EE42293-C315-
11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-
00AA0051FE20|510A4910-
7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-
00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-
7F1C-11CE-
BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-
00AA0051FE20|D99F7670-7F1A-
11CE-BE57-00AA0051FE20/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002172; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE
EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group
3)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED;
pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-
11D0-BB4C-
00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-
D367-11D1-
8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-
00805F85CFE3|ECABB0BF-7F19-
11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-
0000F875AE17|67DCC487-
AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-
000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-
343A-11D0-
AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-
00E0291F3959|CC7BFB43-F175-
11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-
00A0C90C2BC5/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx;
sid:2002173; rev:2;)
Reacties (2)
yo peter, ik heb op virusalert weleens gelezen over e.d codered. dit scheen
vrij gevaarlijk te zijn, en er waren meer varianten,son of codered codeblue
enz is code geel een tweede zoon van codered ? of is het zelfs geen virus?
GREETZ chrizzz
vrij gevaarlijk te zijn, en er waren meer varianten,son of codered codeblue
enz is code geel een tweede zoon van codered ? of is het zelfs geen virus?
GREETZ chrizzz
Reageren
Deze posting is gelocked. Reageren is niet meer mogelijk.
Junior DevOps Engineer
Certified Secure is op zoek naar een Junior DevOps Engineer. Deze functie is een stuk interessanter dan de term doet vermoeden! Om jou als potentiële nieuwe collega meteen te laten zien wat we doen hebben we speciaal voor jou een selectie gemaakt van een aantal leuke security challenges. Are you ready for a challenge?
Cybersecurity Trainer / Streamer
Toe aan een nieuwe nieuwe job waarmee je het verschil maakt? In de Certified Secure trainingen laat je deelnemers zien hoe actuele kwetsbaarheden structureel verholpen worden. Ook werk je actief mee aan de ontwikkeling van onze gamified security challenges. Bij het maken van challenges kom je telkens nieuwe technieken tegen, van Flutter tot GraphQL, van Elastic Search tot Kubernetes.
