RE: Stopping information leakage

["Jerry Shenk" <jshenk () decommunications com>]

That's not malware of any hidden anything....apparently your e-mail app is
programmed to process html links.  The original e-mail message included the
link for this web site.  It is quite interesting that a simple text link
like that would cause a connection.  Chalk up another reason not to use
Outlook!

In this reply, I'm changing that original link.  I've changed the greater
than and less than signs to open and close braces and just to be sure, I
also changed the 222 in the middle of the IP address to xxx.  Check out the
original section from Vernon Stark to see what I'm referring to.


-----Original Message-----
From: Walter Wart [mailto:ribbit () speakeasy net]
Sent: Tuesday, May 13, 2003 5:55 PM
To: incidents () securityfocus com; jshenk () decommunications com
Subject: RE: Stopping information leakage


I don't know what sort of malware or hidden program you've got running in
your email message, but please get rid of it. It crashes outlook and outlook
express and tries to access the internet from my windows box.

-------Original Message-------

From: Jerry Shenk
Date: Tuesday, May 13, 2003 02:26:12 PM
To: Stark, Vernon L.; incidents () securityfocus com
Subject: RE: Stopping information leakage

It's even worse than tracking who came by....that will cause the victim to
pass NetBIOS authentication information to the host site (210.222.4.129).
The victim site could be sniffing all NetBIOS traffic and then replay it and
collect it with L0phtcrack and crack the password hashes.

I would agree that this points to the value of egress filtering.....in a BIG
way!

I've been recommending html to text mail conversions but sometimes people
like their html e-mail just a bit too much.....I just turned it off for one
client this AM;(

-----Original Message-----
From: Stark, Vernon L. [mailto:Vern.Stark () jhuapl edu]
Sent: Tuesday, May 13, 2003 12:33 PM
To: 'incidents () securityfocus com'
Subject: Stopping information leakage


I recently spotted several of our hosts attempting to contact a host
in Korea primarily on TCP ports 139 and 445. We believe we've run this to
ground. Our analysis suggests this is due to a news site that has probably
had their web page hacked. The web page contains the following source code:

 { img src=file://210. xxx .4.129/web.jpg }

Packets captured from one of our hosts indicate that almost immediately
after receiving this content, the host attempts to contact host
210.222.4.129 on port 445 and then on port 139. Various hosts involved have
also used ports TCP 21 and UDP 137. According to www.apnic.net,
210.222.4.129 is assigned to the Korea Network Information Center. When I
e-mailed the owner of the web site, he promptly called me. He indicated
that he had removed the content shown above and it later reappeared.

This content at least gives the attacker the ability to see who
visits the web site. Depending upon the web site with the hacked content,
this may provide the attacker with the ability to harvest a very useful
member list. Moreover, if ports 139 and 445 are not blocked outbound,
additional information leakage can result since the Korean host (when last
tested) will gladly accept connections on port 139. A host can report host
name, operating system, domain name, etc. This emphasizes the importance of
having a policy that denies all traffic except that required. Such a policy
will generally deny outbound traffic on ports 139 and 445 since this traffic
is generally only appropriate on the intranet.

The following Snort rules have been used to track this particular
traffic:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Content 210.222.4.129
spotted. Korean port 139 host."; content:"210.222.4.129"; )

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Content 210.222.4.129
spotted. Korean port 139 host."; content:"210.222.4.129"; )

alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"Outgoing port 139
activity"; )

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"Outgoing port 445
activity"; )

Vern Stark, GCIA, GSEC
JHU/APL

Any opinions expressed are mine and may not reflect those of my employer.



----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------



----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------


.


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------