Microsoft Advisory 2286198: Windows Shell RCE

We have implemented the following network filters to protect users because of Microsoft Advisory 2286198: Windows Shell RCE

10030: HTTP: Microsoft Shell Link Binary File Download
10031: SMTP: Microsoft Shell Link Binary File Attachment

2461: SMTP: Zip Attachment Containing .pif File
2463: POP/IMAP: Zip Attachment Containing .pif File
2711: SMTP: Rar Attachment Containing .pif File
2713: POP/IMAP: Rar Attachment Containing .pif File

We are also looking into implementing the following filter but because of the placement of the filters we need to do more testing before enabling it.

10034: SMB: Microsoft Shell Link Binary File Transmission

If you have any questions or problems please notify the Region 18 ESC Helpdesk at 432.561.4321 or by email helpdesk@esc18.net

Thanks,

Region 18 ESC Network Operations Center

DIR ADVISORY

DIR ADVISORY-- W32.Qakbot Worm , Compromised FTP sites and Government Systems

DIR has been made aware of some FTP servers, located in the US and abroad that have received keystroke logging data files from infected systems.

W32.Qakbot, first identified in May 2009, is a worm that spreads through network shares. It downloads additional files, steals confidential information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence.  Most, if not all, updated Anti-Virus solutions prevent this year-old worm from infecting systems.

The worm spreads by exploiting vulnerabilities when a user visits certain Web pages. Exploit code hosted at these remote locations downloads the threat on to the compromised computer. Many of the infections are aided by users unwittingly clicking on malicious links. The worm also spreads through network shares by copying itself to shared folders when instructed to by a remote attacker.

While W32.Qakbot has multiple capabilities, its ultimate goal is clearly theft of information. W32.Qakbot is capable of gathering a number of different kinds of information, including the following confidential information:

• Authentication cookies, including Flash cookies
• DNS, IP, hostname details
• OS and system information
• Geographic and browser version information
• Keystrokes including login information
• Login details for FTP, IRC, POP3 email, and IMAP email
• Outlook account information
• Private keys from system certificates
• Login credentials for certain websites
• URLs visited

1.      PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.

1.1  Update and enable Anti-virus software

A first line of defense; organizations and users are encouraged to review the details outlined in this advisory, update anti-virus versions and definitions, and ensure that anti-virus software is actually enabled and working.

1.2 Patch Operating System and Software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that firewall software is up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are distributed by vendors.

This threat is known to be spread by exploiting certain vulnerabilities. Installation of patches for the following vulnerabilities will reduce the risk to your computer.

• Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID 10514)
• Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (BID 17462)
• Apple QuickTime for Windows Remote Code Execution Vulnerability (BID 25913)
• Apple QuickTime RTSP URI Remote Buffer Overflow Vulnerability (BID 21829)

1.3 User Behavior and Precautions
Users are advised not to open or execute files from unknown sources. It is also advisable to disable the execution of JavaScript in client applications to prevent execution of unwanted scripts.

Users should turn off file sharing if its use is not required. If file sharing is required, users should use ACLs and password protection to limit access. In addition to this, the use of a firewall or IDS may block or detect back door server communications with remote client applications.

1.4 Address Blocking
Block access to the following addresses using a firewall or router, or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:

• A[.]rtbn2[.]cn
• adserv[.]co[.]in
• c[.]rtbn2[.]cn

�         gator862[.]hostgator.com

�         ftp[.]5150[.]clanservers[.]com

• ftp[.]abid.co[.]cc
• ftp[.]buldrip.com
• ftp[.]dfarchs[.]com
• ftp[.]fantasyworldtravel[.]net
• ftp[.]successful-marketers[.]com
• hostrmeter[.]com
• nt002[.]cn
• nt010[.]cn
• nt202[.]cn
• up002[.]cn
• up004[.]cn
• uu002[.]cn
• w1[.]webinspector[.]biz
• web192[.]ixwebhosting[.]com
• www[.]cdcdcdcdc212121cdsfdfd[.]com
• www[.]cdcdcdcdc2121cdsfdfd[.]com
• zenpayday[.]com
• zurnretail[.]com

1.5 Network Port Blocking
Some of the vulnerabilities used to compromise computers have been known to use a TCP port between 16666 and 16669 to spread. Blocking this port range at the network perimeter may help to reduce the risk to your computer.


1.6 Network Shares
This threat is also known to spread inside networks by using shares. The following steps can help protect your computer against this threat:

• Users are advised to ensure that all network shares are only opened when they are necessary for use.
• Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital and lowercase characters, along with one or more symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack.
• Disable the autorun feature to prevent dropped files from running automatically when a network drive is opened.

IMPORTANT:  If a state system has been determined to have been infected with this worm, please notify DIR Security immediately: dir.security@dir.state.tx.us

In a related action, DIRimplemented blocking of all traffic destined to the following IP addresses, as noted in an earlier NSOC Blocking Notice :

206.188.193.195

174.120.28.2

12.97.188.57

 62.204.145.206 

 66.55.132.6

Security Incident Reporting Instructions:

Note: The 24/7 emergency number for the Security Office is 512-350-3282.
The secondary contact is Kevin White, 512-463-7189 (office) or 512-762-3172 (cell).

For more information, visit: http://www.dir.state.tx.us/security/incidents/index.htm

DIR Security

Upcoming Meeting

New Features for Google Apps provided by EDLINK18

New option available for schools that use Google Apps provided by EDLINK18.

Features of user-managed groups for users

For more information or to get it setup contact the Helpdesk at 432.561.4321 or helpdesk@esc18.net

Grande Communications Inc. - Network Maintenance Event: 8520 02/11/2010 12:00 a.m. - 6:00 a.m. CST

See notice from Grande Communications below. This will not affect the EDLINK18 network.

-----------------------------------------------------------------------------

Good Morning,
We will be performing network maintenance on the morning of
02/11/2010, which may cause intermittent service disruptions throughout
the duration of the maintenance. Our maintenance will begin at 12:00 a.m.,
and will continue until 6:00 a.m. For this maintenance, we are
anticipating a possible outage duration of 360 minutes; however the full
window may be utilized to ensure service stability. We will do our best to
minimize service interruptions during the maintenance.

If you have any questions, please contact the Grande Operations Support
Center at 866-218-2555. Thank you for your time, and we apologize for the
inconvenience this may cause.

Additional Notes: Emergency maintenance - Upgrading our aggregate routers
to correct a critical software bug. Should not be service affecting due
to redundancy.


Operations Support Center
Grande Communications Inc.
Phone: 866-218-2555
mailto:osc@corp.grandecom.com