Read on for information on installing and using the plugin.

Where to get it

The project is hosted here on Google Code.

How to install it

Unzip the mariposa.zip file. There will be 3 files – mariposa.dll, the source file, and packet-mariposa.c. Copy the DLL into the wireshark plugin directory. For example, d:\wireshark\plugin. The code was compiled based on Wireshark version 1.2.2. It may work on previous versions, but there are no guarantees.

How to use it

Restart Wireshark. Open a PCAP of the Mariposa command and control traffic. Locate the traffic which you want to decypt, right-click and select Decode As…

A dialog box will appear (on the Transport tab) and you will get a list on the right side of the dialog box. Search and choose MARIPOSA and click Apply.

“MARIPOSA” will now appear as the protocol for the associated traffic.

How to read it

In the Wireshark Packet Detail window, there is a tree named MARIPOSA Protocol, you will find Opcode, Seq, Original Data, Decrypted Data, BOT cmd, BOT cmd Content items. The Decrypted Data is probably the most interesting. Click on it to view the decrypted data.

Mariposa pulling a file down from Rapidshare

Receiving attack instructions

A confirmation message from the infected client to the command and control server – “Flood running”

When we compared 2 US universities of equal size (roughly 13,000 students each), we were intrigued to find that one institution with open application usage policies had roughly 250 infected clients (an infection rate of 2%). The other university has a more proactive approach to application usage on the network and actively uses the Palo Alto Networks devices to control usage of P2P applications. Their university has only seen a few infected clients. The difference is in the control of the P2P applications. If you can control applications, you can control the threats that ride in over those connections.

Control the application, control the threats.

I often hear the question, how big or how good is Palo Alto Networks’ vulnerability research team? If you look at the website or collateral for leading IPS vendors, you will see that most of them tout things like their premier research organization, dedicated team of researchers, research lab dedicated to vulnerability discovery and disclosure, network security experts working around the clock to discover, assess and respond to vulnerabilities, delivering preemptive security, etc.

As October’s monstrous Microsoft security bulletin was just released earlier this week, I decided to take a look at the number of Microsoft vulnerabilities found by leading IPS companies over the last 6 months.

Since Microsoft credits each one of the vulnerabilities to the discovering researcher and their organization, it would be easy to go back through the last 6 months of security bulletins to figure out who has been doing vulnerability research and who hasn’t. Often times these newly discovered vulnerabilities are submitted to Microsoft months in advance and though it’s impossible to tell how many or when they will be published as security advisories, you can quickly gather a trend of how much research is being done if you look at it over a period of time. The results were basically the same across the last 6 months as it was for all of 2009.

Over the last 6 months, Palo Alto Networks has discovered 6 vulnerabilities (4 critical and 2 important severity) published by Microsoft. Let’s compare that to the next closest IPS vendors. The ISS X-Force research team was credited with 3 Microsoft vulnerabilities (2 critical and 1 moderate severity). TippingPoint’s DVLabs, their in- house research team – not their Zero-day Initiative, which pays external researchers for contributed vulnerabilities – has published 2 vulnerabilities – 1 critical and 1 important severity. McAfee’s Avert Labs comes in with 1 critical Microsoft vulnerability published. And finally Juniper and SourceFire with no published Microsoft vulnerabilities not just for the past 6 months but for the past 2 years.

Now where are all those around-the-clock researchers in distributed locations around the globe that are discovering vulnerabilities? The illusion that a smaller more agile team is at a disadvantage in discovering and providing analysis for vulnerabilities is a fallacy.

There is no Microsoft patch available for the vulnerability, and it is recommended that Palo Alto Networks customers with vulnerable Microsoft devices upgrade to content version 142. For more information about the Microsoft advisory on the vulnerability, check out the link below.

http://www.microsoft.com/technet/security/advisory/975497.mspx

What is cause of the vulnerability?
The Microsoft DirectShow component has an issue that doesn’t allow it to properly parse specially crafted QuickTime media files.

What is DirectX?
Microsoft DirectX is a feature of the Windows operating system. It is used for streaming media on Microsoft Windows operating systems to enable graphics and sound when playing games or watching video.

What is DirectShow?
DirectX consists of a set of low-level Application Programming Interfaces (APIs) used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation and rendering. Microsoft DirectShow is used for streaming media on Microsoft Windows operating systems. DirectShow is used for high-quality capture and playback of multimedia streams. It automatically detects and uses video and audio acceleration hardware when available, but also supports systems without acceleration hardware. DirectShow is also integrated with other DirectX technologies. Some examples of applications that you can create using DirectShow include DVD players, video editing applications, AVI to ASF converters, MP3 players, and digital video capture applications.

How could an attacker exploit the vulnerability?
This vulnerability requires that a user/victim open a specially crafted QuickTime file or receive specially crafted streaming content from a Web site or any application that delivers Web content.

What might an attacker use the vulnerability to do?
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To find out more about the DirectX vulnerabilities discovered by Palo Alto Networks, please click on the link below.

http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx

Conficker (aka Downadup), is a computer worm that targets the Microsoft Windows operating system. The worm exploits a known vulnerability (MS08-067) in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and the Windows 7 Beta. Conficker spreads via this buffer overflow vulnerability in the Server Service on Windows machines. The worm employs a specially crafted RPC request to execute code on the target computer.

When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It receives further instructions by connecting to a server. The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto the victim’s computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.

Palo Alto Networks devices can stop the worm via:

- Antivirus download signatures

- Vulnerability protection for MS08-067

- Phone home signature for infected hosts

Here are some other interesting articles about Conficker:

NY Times article
SRI Analysis of Conficker C
Wikipedia

Both the normal and HQ streaming options make use of Silverlight and asf streaming – which is a new technique for the 2009 tourney.

Most enterprises are familiar with this time of year and the tourney’s impact on their networks. Many organizations will again implement URL filtering policies limiting or banning http://mmod.ncaa.com – which will block traffic to the March Madness on Demand streaming site. The problem that organizations face this year is that users are more savvy than ever, and options to circumvent simple URL filtering policies are legion.

Assuming a simple URL filtering policy to block the http://mmod.ncaa.com URL, users can still watch NCAA tournament games at work using a number of applications that easily bypass enterprise controls:

• Public proxies (e.g., Hopster, Kproxy)

• Private proxies (e.g., CGIproxy set up on a broadband connection at home)
• Tunneling or circumvention applications (e.g., UltraSurf, TOR)
• Slingbox (connected to the television at home)

If enterprises really do want to get control of this potentially damaging use of bandwidth, in addition to a simple URL filtering block, they should also look at getting control over Silverlight, proxies (both public and private), circumvention applications, and Slingbox traffic. The problem is that enterprises can’t do this with traditional security infrastructure.

Palo Alto Networks, with its innovative App-ID technology, can see and control all of the above-mentioned applications and techniques for getting around URL filtering – including proxies, circumvention applications, Slingbox, and Silverlight – by user and or group. Palo Alto Networks next-generation firewalls also provide URL filtering, integrated into the same application- and user-based policies.

Here are the vulnerabilities that were released by Microsoft today:

Microsoft Windows SMB Authenticate by Replay Host Remote Code Execution Vulnerability
Vendor ID: MS08-068
CVE: CVE-2008-4037

Microsoft Internet Explorer MSXML3 Race Condition Memory Corruption Vulnerability
Vendor ID: MS08-069
CVE: CVE-2007-0099

Microsoft MSXML DTD Cross-Domain Scripting Vulnerability
Vendor ID: MS08-069
CVE: CVE-2008-4029

Microsoft MSXML Header Request Vulnerability
Vendor ID: MS08-069
CVE: CVE-2008-4033

Click here to view the Microsoft Security Bulletin for November 2008.

Palo Alto Networks released coverage for this Microsoft vulnerability shortly after Microsoft announced the vulnerability. Palo Alto Networks customers received a signature for this vulnerability in emergency content release version 90.

Click here to view the Microsoft Security Bulletin.

In this weeks content release, we have added the ability to identify and control the posting of comments to the top financial message boards. These boards are a hotbed for day traders and others seeking the stock tip that will make them rich. They are also a common place for sensitive information to get leaked from within companies. These new AppIDs give administrators the ability to enable employees to browse the message boards without the risk of them succumbing to the temptation to respond to the comments on the board.

One potential solution to this problem is blocking the POST method within the HTTP flow. This is a very rudimentary way of gaining control. Many web sites use POST for normal transfer of information. It is no longer restricted to the “posting” of information to websites. Many dynamic applications will no longer function properly when taking this approach. With signatures targeted at the specific posting activity on the message boards, administrators can apply the control and avoid the backlash of complaints due to broken websites. If they choose not to block this posting activity, they will have a record of the users that are engaging in this activity, should they have a leak they need to investigate.