April 2004 - Posts
http://www.f-secure.com/weblog/
Now that different Netsky variants rule the earth (there are 7 different Netsky variants in top 10 right now), it's easy to forget how big problem the Mydoom worm was just three months ago. To put things into perspective, here's out stats for 2004 so far, sorted by the percent of all infections:
1 Mydoom.A 46.4 %
2 Netsky.D 12.5 %
3 Netsky.B 10.7 %
4 NetSky.p 9.7 %
5 Swen.A 2.0 %
6 Netsky.Q 1.8 %
7 Netsky.C 1.6 %
8 Netsky.T 1.4 %
9 Dumaru.A 1.2 %
10 Sobig.F 1.1 %
The big peak caused by Mydoom in the end of January is also nicely visible in this graph:
This morning Symantec listed new worms that manipulate the Microsoft Windows Local Security Authority Service Remote Buffer Overflow vulnerabilities. Applying the MS04-011 security patch will prevent infection from these new threats.
W32.Gaobot.AFJ
http://www.sarc.com/avcenter/venc/data/w32.gaobot.afj.html
W32.Gaobot.AFJ is a worm that spreads through open network shares, backdoors installed by the Beagle and Mydoom worms, and several Windows vulnerabilities including:
* DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
* Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
* Exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Securiy Bulletin MS04-011).
W32.Gaobot.AFC
http://www.sarc.com/avcenter/venc/data/w32.gaobot.afc.html
W32.Gaobot.AFC is a worm that spreads through open network shares and several Windows vulnerabilities including:
* The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
* The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
* The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
* The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
* The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
* Exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Securiy Bulletin MS04-011).
W32.Gaobot.AFW
http://www.sarc.com/avcenter/venc/data/w32.gaobot.afw.html
W32.Gaobot.AFW is a worm that spreads through open network shares and several Windows vulnerabilities including:
* The DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
* The WebDav Vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
The Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
* The UPnP NOTIFY Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS01-059).
* The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
* Exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Securiy Bulletin MS04-011).
Microsoft has released security bulletin MS04-011. The security bulletin contains all the relevant information about the security update, including file manifest information and deployment options. To view the complete security bulletin, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
For additional information about known issues that may occur after you install the security update, click the following article numbers to view the articles in the Microsoft Knowledge Base:
840997 You cannot view enhanced metafile format graphics files (or EMF image files) that were create in Adobe Illustrator
841384 "STOP 0x00000079" error message after you install the security update that is described in Microsoft Security Bulletin MS04-011 on a Windows NT 4.0-based computer
841382 Your computer stops responding, you cannot log on to Windows, or your CPU usage for the System process approaches 100 percent after you install the security update that is described in Microsoft Security Bulletin MS04-011
For additional information about general issues that may occur when you install software updates that replace the Ntoskrnl.exe file, click the following article numbers to view the articles in the Microsoft Knowledge Base:
246507 Windows NT does not start, error message about Ntoskrnl.exe
224526 Windows NT 4.0 supports maximum of 7.8-GB system partition
Symantec has also classified this first MS04-011 variant as W32.Gaobot.AFJ. The "good news" is that it is not an active threat as the dependant IRC server has been shutdown, however the "bad news" is that it provides a model for more crafting work on MS04-011 exploitable worms.
First MS04-011 Worm emerges: W32/Gaobot.worm.ali
http://vil.nai.com/vil/content/v_125006.htm
http://www.incidents.org/diary.php?date=2004-04-28
http://www.incidents.org/diary.php?date=2004-04-27
At the time of this writing, there are more than 900 variants of the Gaobot virus in existence. The source code for Gaobot was posted to various websites resulting in many new variants being created each week.
W32/Gaobot.worm.ali stands out from some others as it seems to be the first variant that incorporates code to exploit a MS04-011 vulnerability (LSASS Vulnerability (CAN-2003-0533)).
This particular variant is not currently a threat as it is dependant on an IRC server, which is no longer available. However, it is presumed that other variants will likely follow soon, which are functional. Details of those variants will likely vary from this one.
For maximum protection against the Gaobot family, users are recommended to:
* use the latest engine/DATs combination
* ensure the scanning of compressed files is enabled
* keep Windows systems patched by using Windows Update
* ensure weak username/passwords are not used
* run a personal desktop firewall application
The virus contains lots of remote access functionality, including:
* Create/Remove services
* Denial of service attack
* FTP/HTTP functions (upload, download files, etc)
* IRC functions
* Retrieve system information (RAM, CPU, Disk Space)
* Secure/insecure Windows shares
* Shutdown/reboot/logoff computer
* Sniffer
* Steal CD and product keys for various products
* Terminate running processes
Special Note - suffix letters may not match up due to naming conventions among AV Vendors
McAfee
http://vil.nai.com/vil/content/v_124875.htm
Symantec
http://www.symantec.com/avcenter/venc/data...eagle.x@mm.html
Trend
http://www.trendmicro.com/vinfo/virusencyc...me=WORM_BAGLE.Z
F-Secure
http://www.f-secure.com/v-descs/bagle_z.shtml
Important consideration: CPL & HTA extensions
The CPL and HTA extensions may not be blocked in many company firewall systems. The attachment can have any of the following extension names: ·COM, ·CPL, ·EXE, ·HTA, ·SCR, ·VBS, ·ZIP
The link below is a good list for blocking email attachments based for extension types which are suseptible to viruses.
eMail Attachment Block-List
http://googleit.aptonline.net/pages/emailblocklist.html
http://vil.nai.com/vil/content/v_124873.htm
http://www.f-secure.com/v-descs/netskyab.shtml
http://www.sarc.com/avcenter/venc/data/w32.netsky.ab@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.AB
As of April 28, 2004 1:20 AM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_NETSKY.AB. TrendLabs has received several infection reports indicating that this malware is spreading in Japan, Taiwan and Korea. There are also infections in Europe, particularly in France. This variant shares nearly 98% of its functionality with NetSky.AA. Netsky.AB attaches its executable file to e-mails that it sends out.
http://www.incidents.org/diary.php?date=2004-04-27
The ISC has come into possession of what appears to be a new version of PhatBot that contains code to exploit the LSASS (LSASS: Local Security Authority Subsystem Service) vulnerabilities patched under MS04-11. Reference these old diary entries:
http://isc.sans.org/diary.php?date=2004-04-26
http://isc.sans.org/diary.php?date=2004-04-25
We are currently focusing on some keywords found in the executable that indicate that an LSASS exploit has been added, specifically, the command string "CScannerLSASS". We are currently investigating the code, and will update the diary as new information becomes available. Traffic matching this bot was first observed yesterday evening (EDT) at multiple US .edu's. The bot appears to inherit all other functions usually associated with 'phatbot'.
http://www.symantec.com/avcenter/venc/data/hacktool.lsasssba.html
Hacktool.LsassSba is a hacktool that takes advantage of the LSASS Vulnerability (described in Microsoft Security Bulletin MS04-011) to provide an attacker with a command shell on a remote computer.
When Hacktool.LsassSba is executed, it sends a specially crafted exploit string to an IP address specified by the attacker. This string attempts to exploit the LSASS Vulnerability (described in Microsoft Security Bulletin MS04-011), targeting TCP ports 137, 138, 139 and 445.
If successful, the hacktool opens a command shell on the targeted computer and then connects back to a specified IP and port (this is TCP port 1234 by default). Once this process is complete, the attacker will have administrative access to the compromised computer.
F-Secure shares a weblog which is one of my favorite sites to check for breaking developments. The following table shows some of the largest virus families where multiple variants have been constantly created (with Agobot as their top entry with over 450 entires).
http://www.f-secure.com/weblog/
LARGEST VIRUS FAMILIES (as noted by F-Secure)
| FAMILY NAME |
LAST VARIANT |
TYPE |
| Agobot |
RO |
Backdoor |
| CAP |
JM |
Word Macro |
| Delf |
MV |
Backdoor |
| Jerusalem.1808 |
FV |
File infector |
| Laroux |
OU |
Excel Macro |
| Loveletter |
CZ |
Word Macro |
| Marker |
LA |
Word Macro |
| Npad |
KB |
Word Macro |
| SDBot |
KL |
Backdoor |
| Stoned |
EV |
Boot sector |
| Thus |
GP |
Word Macro |
| Wazzu |
HM |
Word Macro |
This is the first formally published security concern, I've seen that takes advantage of the recent Microsoft security vulnerabilities patched in April 2004. It is not a virus or worm, but this malicious program could be used by attackers to compromise the security on unpatched systems.
This new development illustrates that there might be storm clouds on the horizon, so it's important to get patched up.
MS04-011 - Hacktool.THCIISLame (hackers tool)
http://www.symantec.com/avcenter/ve...thciislame.html
Hacktool.THCIISLame is a hack tool that takes advantage of the SSL PCT Windows vulnerability, as described in Microsoft Security Bulletin MS04-011. It provides an attacker a system shell on a specified remote computer. The vulnerability affects unpatched versions of Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. It is considered Critical for NT/2000, Important for XP, and Low for 2003.
MS04-011 Vulnerability Information
http://www.microsoft.com/technet/se...n/MS04-011.mspx
Upon execution, Hacktool.THCIISLame performs the following actions:
1. Sends a specially crafted exploit string to TCP port 443 of the IP address, specified on the command line.
2. If the vulnerability is successfully exploited, the shell code executed will reconnect to the IP and port that the attacker specified on the command line.
http://www.sophos.com/virusinfo/articles/cihfive.html
Five years ago today, on 26 April 1999, the CIH virus (also known as Chernobyl) caused considerable damage as it flashed critical chips inside computers worldwide. According to government reports, in South Korea alone it caused over $250 million damage, infecting a quarter of a million computers.
The virus, named "Chernobyl" by the media as it was programmed to activate its destructive payload on the thirteenth anniversary of the Chernobyl reactor meltdown, was able to wipe the data from users' hard disks and overwrite the computer BIOS chip, making the computer unusable.
"The Chernobyl virus opened a new chapter in the severity of computer malware," said Graham Cluley, senior technology consultant for Sophos. "It could effectively turn your computer into a useless lump of plastic - the only way to get your PC working again was to open it up and replace the chip."
Once the BIOS chip of infected computers was overwritten by the Chernobyl virus, users found they were unable to use their computers at all. Repair involved physically removing the BIOS chip and replacing it with a fresh one. On some computers, the BIOS chip is not removable, and so it could only be replaced by swapping the entire motherboard.
Virus Characteristics: - Update 26th April 09:37 PST -- Due to increased prevalence, this threat has had its risk assessment raised to medium.
This is a new variant of W32/Bagle@MM. It is packed using UPX. It is not polymorphic and a static MD5 is not suitable as garbage is always appended to the file. This is a mass-mailing worm with the following characteristics:
- contains its own SMTP engine to construct outgoing messages harvests email addresses from the victim machine
- the From: address of messages is spoofed attachment can be a password-protected zip file, with the password included in the message body.
- contains a remote access component (notification is sent to hacker)
- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
In about 3 months a total of 60 variants have emerged as noted in the link below. The "wars" started when one virus writer started removing infections from the other two families if present. This competition has started a steady stream of new variants almost daily.
HISTORY OF THE VIRUS WARS
http://www.f-secure.com/weblog/archives/vw5.gif
Please note this message containing a hostile URL has been spammed extensively on the Internet. I personally got a number of these and the hostile URL noted could load a trojan or process an exploit. Please delete these messages and do not visit the web site noted in the actual message.
NIBU.D TROJAN: “Osama Bin Laden Captured” email
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.d.html
Osama Bin Laden Captured -- An email is circulating on the internet today that claims to be from CNN or BBC. The email utilizes this exploit to download a file pics.chm that in turn contains and executes a Trojan. McAfee has identified this as Exploit-MhtRedir.gen and Norton identifies it as Backdoor.Nibu.D. The Trojan once executed attempts to steal passwords and bank account information.
An example I found in my in-box this morning:
Subject: Osama Bin Laden Captured.
Date: Fri, 23 Apr 2004 19:49:29 +0500
Just got this from CNN Osama Bin Laden has just been captured! A video and some pictures have been released. Goto the link below for pictures, I will update the page with the video as soon as I can:
http://<hostile web site URL>/pics/
God Bless America!
SANS is evaluating moving to a heightened alert status for the Internet Storm Center. As malicious individuals are most likely trying to craft new Internet worms, hopefully this event will be delayed as long as possible, so that everyone can complete the job of patching up.
INTERNET STORM CENTER
http://www.incidents.org/
Internet Storm Center evaluates moving from GREEN to YELLOW
http://www.incidents.org/diary.php?date=2004-04-23
Potential Microsoft PCT worm (MS04-011)
In response to observed active exploit of the PCT vulnerability, announced in Microsoft Bulletin MS04-011, some AV vendors have raised alert status. The IT-ISAC reports that some IDS are "detecting and blocking attacks against many institutions. The attacks are attempting to steal data and/or break into payment systems."
An exploit for this issue currently being used to compromise vulnerable systems running SSL-enabled IIS 5.0. Note the vulnerability exists in any SSL-enabled program which is running on vulnerable Windows systems. Windows 2003 Server is not affected if PCT is disabled."
Possible move to Yellow
We are closely monitoring the IIS exploit and may move to Yellow this evening.
=====================================
CERT -- More on the new PCT Exploit
Exploit for Microsoft PCT vulnerability released
http://www.us-cert.gov/current/current_activity.html#pct
Exploit code has been publicly released that takes advantage of a buffer overflow vulnerability in the Microsoft Private Communication Technology (PCT) protocol. The vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information about the vulnerability is available in TA04-104A and VU#586540.
US-CERT is aware of network activity that is consistent with scanning and/or exploit attempts against this vulnerability. Reports indicate increased network traffic to ports 443/tcp and 31337/tcp. The PCT protocol runs over SSL (443/tcp) and the known exploit code connects a command shell on 31337/tcp. Note that the exploit code could be modified to use a different port or to execute different code. This vulnerability is remedied by the patches described in Microsoft Security Bulletin MS04-011.
This link below offers some of the best information I've seen on the detailed vulnerabilities and their potential impacts on unpatched systems.
Trend Micro - Indepth Information on the vulnerabilities patched under MS04-011
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=MS04-011_MICROSOFT_WINDOWS&VSect=T
This cumulative release from Microsoft covers the following newly discovered vulnerabilities:
- LSASS Vulnerability
- LDAP Vulnerability
- PCT Vulnerability
- Winlogon Vulnerability
- Metafile Vulnerability
- Help and Support Center Vulnerability
- Utility Manager Vulnerability
- Windows Management Vulnerability
- Local Descriptor Table Vulnerability
- H.323 Vulnerability
- Virtual DOS Machine Vulnerability
- Negotiate SSP Vulnerability
- SSL Vulnerability
- ASN.1 “Double-Free” Vulnerability
Refer to the Technical Details section for details on these vulnerabilities.
The vulnerabilities covered under this release affect the following software:
- Microsoft Windows NT® Workstation 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
- Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, and Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP, Microsoft Windows XP Service Pack 1
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server™ 2003
- Microsoft Windows Server 2003 64-Bit Edition
- Microsoft NetMeeting
- Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), Microsoft Windows Millennium Edition
The patch released for these vulnerabilities cover highly critical security holes. It should be applied immediately. Access the patch and additional information in the following Microsoft page:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
While major alerts have been issued, the potential for attacks will most likely be isolated to specific vulnerable servers or routers rather than the entire Internet infrastructure.
The concern is that TCP/IP is used extensively for Internet and Intranet communications on a widespread basis. The primary concern is in disconnecting static BGP connections as noted in the articles. Howevery, vendors are scrambling to provide security fixes, which should be appearing soon.
TCP/IP and Internet Security Vulnerabilities
A flaw in the most popular communications protocol for sending data on the Net could let attackers shut down connections between servers and routers, according to an advisory released Tuesday by Britain's national emergency response team. TCP--the Transmission Control Protocol--contains a flaw that "varies by vendor and application, but in some deployment scenarios...is rated critical.
Most implementations of the Border Gateway Protocol (BGP) rely on the Transmission Control Protocol (TCP) to maintain persistent unauthenticated network sessions. There is a vulnerability in TCP which allows remote attackers to terminate network sessions. Sustained exploitation of this vulnerability could lead to a denial of service condition; in the case of BGP systems, portions of the Internet community may be affected. Routing operations would recover quickly after such attacks ended.
Leading networking equipment vendors Cisco Systems Inc. and Juniper Networks Inc. are expected to release advisories for their customers this week that explain which of their products contain BGP code vulnerable to attack and to offer updated versions of operating system software for those devices that fix the problem.
Despite the dire warnings, the impact of the TCP hole will probably be small, Ingevaldson said. Leading networking vendors have probably been in conversation with US-CERT and the NISCC far in advance of the news becoming public, giving those companies time to prepare a patch. Also, the BGP protocol was designed to be resistant to attack and to support digital signatures using algorithms such as MD5 that can prevent spoofing, he said. "This is a serious issue because it's widespread, but there probably won't be a widespread impact," he said.
SERIOUS TCP/IP VULNERABILITIES
http://www.us-cert.gov/cas/techalerts/TA04-111A.html
http://www.uniras.gov.uk/vuls/2004/236929/index.htm
http://www.securityfocus.com/news/8499
http://news.com.com/2100-1002_3-5195909.html
http://www.infoworld.com/article/04/04/20/HNtcpwarning_1.html
CORE INTERNET TECHNOLOGY VULNERABLE TO HACKERS
http://www.securityfocus.com/news/8491
http://news.com.com/2100-1009-990608.html
http://www.eweek.com/article2/0,1759,1570947,00.asp
Exploit for Windows SSL Flaw Circulating
http://www.internetnews.com/dev-news/article.php/3343011
And here's yet another indication that something big might be coming (although I hope not)
VeriSign said it's alerting customers that a big Internet worm may be coming, based on traffic anomalies and other data gleaned at its SOCs (Secure Operations Centers).
Engineers said they have noticed increased traffic on port 443 and port 1025 traffic, indicating possible attacks in the works. Also, there is evidence of two vulnerabilites being exploited, one involving SSL and the other RPC, and reports of a working exploit for the ASN.1 Windows vulnerability announced by Microsoft earlier this year, according to VeriSign.
"While we can never predict with true certainty the next big Slammer or Blaster, our statistical traffic modeling surrounding the past weeks traffic has all the telltale markers of a big worm coming," a spokesperson for VeriSign's managed security services said Friday.
This site provides a list of available AV updates, security patches, security events, and other noteable updates. This is a great site to check for any outstanding updates that might need to be performed.
http://www.dozleng.com/updates/index.php?act=calendar
Example of updates posted on April 20, 2004
·KAV
·Ad-aware
·Foxmail
·TDS-3
·CWShredder 1.56.3
·Tauscan
·AntiVir Personal Edition
·AVG AntiVirus
·The Cleaner Professional
·What would you do for chocolate?
·BOClean
·avast
·Exchange 2000 Post-SP3
·Exchange 2003 Store Patch 6980.72
·OneNote 2003 Service Pack 1 Preview
A survey on passwords was carried out for the Infosecurity Europe trade show. The survey data was gathered by questioning commuters passing through Liverpool Street station in London and found that many were happy to share login and password information with those carrying out the research.
Passwords - 70% would disclose this for a bar of chocolate
http://news.bbc.co.uk/2/hi/technology/3639679.stm
More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found. It also showed that 34% of respondents volunteered their password when asked without even needing to be bribed. A second survey found that 79% of people unwittingly gave away information that could be used to steal their identity when questioned.
Family names, pets and football teams were all used by those questioned to provide inspiration for a password. The survey found that, on average, people have to remember four passwords, though one unlucky respondent had to remember 40. Many adopt very unsafe tactics to remember these login names. Some of those questioned simply use the same password for every system they must log on to.
More Posts
Next page »