Wednesday, December 28, 2005

Windows WMF 0-day exploit (updated)

A 0-day exploit against the Windows Graphics Rendering Engine has been posted on Bugtraq. For more information see:

http://isc.sans.org/diary.php?storyid=972
http://www.securityfocus.com/bid/16074/info
http://vil.mcafeesecurity.com/vil/content/v_137760.htm
http://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php

What can you do to protect your network:

1. Go to the 'Body Content Types' of your HTTP-Proxy and add '%0x010009000003%*' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
2. Go to the 'URL Path' function of your HTTP-Proxy and add '*.wmf' as a pattern match with the 'Rule action' set to Deny, Alarm and Log. If you have not installed MS05-053 yet you should also consider adding '*.emf'.
3. Go to the 'URL Path' function of your HTTP-Proxy and add the following URL's

'*unionseek.com/*'
'*crackz.ws/*'
'*tfcco.com/*'
'*iframeurl.biz/*'
'*beehappyy.biz/*'

as a pattern match with the 'Rule action' set to Deny, Alarm and Log.

Saturday, December 17, 2005

Webblocker & Surfcontrol

Do you have a website that is not blocked by the webblocker, but you think it should be based on your category settings?
On the Surfcontrol website (http://mtas.surfcontrol.com/mtas/MTAS.asp) you can see the category of the website, and if it's not categorized, you can add the site to the database. If you update your webblocker database daily u will see it getting blocked in 2 to 4 days.
The great benefit of adding it to the Surfcontrol database, instead of making a "webblocker exception" is that you help out your fellow webblocker/Surfcontrol users by doing so.

Tuesday, December 13, 2005

Sober

Quote from http://isc.sans.org/diary.php?storyid=925 :

You may have read from news that there will be a Sober worm attack on 5 Jan 06. This is due to the pre-programmed date of current Sober variant to activate on 5 Jan 06. The interesting part is that the Sober variant has the intelligence to create pseudorandom URLs which will change based on date. It also can synchronize the systems via atom clocks so that it does not matter even if the system clock is not correct. F-Secure has come out a list of URLs that you may want to block. You can read the details from F-Secure nice writeup.

Go to the "URL Paths" function of your HTTP proxy and add the following urls:

home.arcor.de/dixqshv/*
people.freenet.de/wjpropqmlpohj/*
people.freenet.de/zmnjgmomgbdz/*
people.freenet.de/mclvompycem/*
home.arcor.de/jmqnqgijmng/*
people.freenet.de/urfiqileuq/*
home.arcor.de/nhirmvtg/*
free.pages.at/emcndvwoemn/*
people.freenet.de/fseqepagqfphv/*
home.arcor.de/ocllceclbhs/*
scifi.pages.at/zzzvmkituktgr/*
people.freenet.de/qisezhin/*
home.arcor.de/srvziadzvzr/*
people.freenet.de/smtmeihf/*
home.pages.at/npgwtjgxwthx/*
people.freenet.de/idoolwnzwuvnmbyava/*
people.freenet.de/mhfasfsi/*
people.freenet.de/nkpphimpfupn/*
people.freenet.de/ozumtinn/*
people.freenet.de/bnfyfnueoomubnw/*
people.freenet.de/kbyquqbwsku/*
people.freenet.de/mlmmmlmhcoqq/*
scifi.pages.at/ikzfpaoozw/*
home.pages.at/ecljoweqb/*
free.pages.at/wgqybixqyjfd/*
home.arcor.de/ykfjxpgtb/*
home.arcor.de/oodhshe/*
home.arcor.de/mtgvxqx/*
home.arcor.de/tucrghifwib/*
home.arcor.de/ftpkwywvkdbuupw/*

You can also use the webblocker exception list for this.
Remember to set the action to deny and alarm. This way the traffic will be blocked and you will be notified.

If you are not based in a German language country you can off course also just block:

people.freenet.de/*
scifi.pages.at/*
home.pages.at/*
free.pages.at/*
home.arcor.de/*

Saturday, December 10, 2005

Trouble with JS/Wounk-A

Add "*s_ta_ts.js" as a pattern match to the "URL Paths" function of your HTTP proxy, and set it to deny.
I see it getting block almost 2 times a week. This saved me allot of phone calls.
Off course most off the times this would not work but for some unknown reason JS/Wounk-A always goes by the name s_ta_ts.js.

More information on JS/Wounk-A can be found here http://www.sophos.com/virusinfo/analyses/jswounka.html

Use your Watchguard firewall to the max

This blog is to help users of the Watchguard firewall to use all of its function to there max.
I hope it is to some use.